From cafd20b233c4a1246f9fb340218d7f4c436ec8bc Mon Sep 17 00:00:00 2001
From: Brendan Burns <bburns@google.com>
Date: Tue, 23 Sep 2014 14:14:34 -0700
Subject: [PATCH] Complete the mitm prevention on GCE.

---
 cluster/gce/util.sh                         | 20 ++++++++++++++++++--
 cluster/saltbase/salt/nginx/kubernetes-site |  4 ++--
 cluster/saltbase/salt/nginx/make-ca-cert.sh | 10 +++++-----
 3 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index cf5ad288737..cf15544da84 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -254,9 +254,25 @@ function kube-up {
   echo
   echo "  https://${user}:${passwd}@${KUBE_MASTER_IP}"
   echo
-  echo "Security note: The server above uses a self signed certificate.  This is"
-  echo "    subject to \"Man in the middle\" type attacks."
 
+  kube_cert=".kubecfg.crt"
+  kube_key=".kubecfg.key"
+  ca_cert=".kubernetes.ca.crt"
+
+  (umask 077 && gcutil pull "${MASTER_NAME}" /usr/share/nginx/kubecfg.crt "${HOME}/${kube_cert}" && chmod 0600 "${HOME}/${kube_cert}")
+  (umask 077 && gcutil pull "${MASTER_NAME}" /usr/share/nginx/kubecfg.key "${HOME}/${kube_key}" && chmod 0600 "${HOME}/${kube_key}")
+  (umask 077 && gcutil pull "${MASTER_NAME}" /usr/share/nginx/ca.crt "${HOME}/${ca_cert}" && chmod 0600 "${HOME}/${ca_cert}")
+  (umask 077 && \
+cat << EOF > ~/.kubernetes_auth
+{
+  "User": "$user",
+  "Password": "$passwd",
+  "CAFile": "$HOME/$ca_crt",
+  "CertFile": "$HOME/$kube_crt",
+  "KeyFile": "$HOME/$kube_key",
+}
+EOF && \
+  chmod 0600 ~/.kubernetes_auth)
 }
 
 # Delete a kubernetes cluster
diff --git a/cluster/saltbase/salt/nginx/kubernetes-site b/cluster/saltbase/salt/nginx/kubernetes-site
index 458ebf90f6c..ef5dc96fe36 100644
--- a/cluster/saltbase/salt/nginx/kubernetes-site
+++ b/cluster/saltbase/salt/nginx/kubernetes-site
@@ -38,8 +38,8 @@ server {
 
         ssl_session_timeout 5m;
 
-        ssl_protocols SSLv3 TLSv1;
-        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
+        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
         ssl_prefer_server_ciphers on;
 
         location / {
diff --git a/cluster/saltbase/salt/nginx/make-ca-cert.sh b/cluster/saltbase/salt/nginx/make-ca-cert.sh
index c15789a8fad..ffb577a3813 100755
--- a/cluster/saltbase/salt/nginx/make-ca-cert.sh
+++ b/cluster/saltbase/salt/nginx/make-ca-cert.sh
@@ -39,9 +39,9 @@ cd easy-rsa-master/easyrsa3
 ./easyrsa --batch build-ca nopass > /dev/null 2>&1
 ./easyrsa --subject-alt-name=IP:$cert_ip build-server-full kubernetes-master nopass > /dev/null 2>&1
 ./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1
-cp pki/issued/kubernetes-master.crt /usr/share/nginx/server.cert > /dev/null 2>&1
-cp pki/private/kubernetes-master.key /usr/share/nginx/server.key > /dev/null 2>&1
-cp pki/ca.crt /usr/share/nginx/ca.crt
-cp pki/issued/kubecfg.crt /usr/share/nginx/kubecfg.crt
-cp pki/private/kubecfg.key /usr/share/nginx/kubecfg.key
+cp -p pki/issued/kubernetes-master.crt /usr/share/nginx/server.cert > /dev/null 2>&1
+cp -p pki/private/kubernetes-master.key /usr/share/nginx/server.key > /dev/null 2>&1
+cp -p pki/ca.crt /usr/share/nginx/ca.crt
+cp -p pki/issued/kubecfg.crt /usr/share/nginx/kubecfg.crt
+cp -p pki/private/kubecfg.key /usr/share/nginx/kubecfg.key