Bug 1299014
Summary: | [RFE] Configuration setting to set cipher on Openshift node web proxy | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Ryan Howe <rhowe> |
Component: | Security | Assignee: | Rory Thrasher <rthrashe> |
Status: | CLOSED ERRATA | QA Contact: | Xiaoli Tian <xtian> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 2.2.0 | CC: | anli, erich, jialiu, jokerman, lmeyer, mmccomas, rthrashe, tiwillia, xiama |
Target Milestone: | --- | Flags: | anli:
needinfo-
|
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openshift-origin-node-proxy-1.26.2.1-1.el6op | Doc Type: | Enhancement |
Doc Text: |
Feature: Allow the cipher suite used for the node web proxy to be configured.
Reason: Certain ciphers may need to be disabled or enabled depending on an organization's security policies.
Result: The cihper suite can now be configuration in the /etc/openshfit/node-web-proxy.json configuration file.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-03-22 16:54:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ryan Howe
2016-01-15 17:17:11 UTC
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/7dec6165f2e8d3ac3c7bf3b8b5dfaf7adfc7aa6e Specify cihper suite in node-web-proxy configuration Bug 1299014 https://bugzilla.redhat.com/show_bug.cgi?id=1299014 Additionally, remove forcing the use of SSLv2_3. Also add the node-web-proxy.json file as a configuration file. Note that a default was specified for the new ciphers option so that old configuration files without this option will not cause issues. Due to https://bugzilla.redhat.com/show_bug.cgi?id=1302787#c5. Shall we fix in openshift-origin-node-proxy? Check on puddle [2.2.9/2016-02-25.2] 1. change the "ciphers" configuration #vim /etc/openshift/web-proxy-config.json <--snip--> "private_key": "/etc/pki/tls/private/localhost.key", "ciphers" : "!IDEA:+3DES" <--snip--> 2. restart the service /etc/init.d/openshift-node-web-proxy restart 3. check the web-proxy log 1456813573207:INFO:[01/Mar/2016:14:26:13 -0800] - Creating protocol server for secure_http_proxy The ciphers config: !IDEA:+3DES 1456813573210:INFO:[01/Mar/2016:14:26:13 -0800] - Creating websocket server for secure_http_proxy The configuration take effect, move this issue to VERIFIED. (In reply to Ma xiaoqiang from comment #6) > Check on puddle [2.2.9/2016-02-25.2] > > 1. change the "ciphers" configuration > #vim /etc/openshift/web-proxy-config.json > <--snip--> > "private_key": "/etc/pki/tls/private/localhost.key", > "ciphers" : "!IDEA:+3DES" > <--snip--> > > 2. restart the service > /etc/init.d/openshift-node-web-proxy restart > > 3. check the web-proxy log > 1456813573207:INFO:[01/Mar/2016:14:26:13 -0800] - Creating protocol server > for secure_http_proxy > The ciphers config: !IDEA:+3DES > 1456813573210:INFO:[01/Mar/2016:14:26:13 -0800] - Creating websocket server > for secure_http_proxy > > The configuration take effect, move this issue to VERIFIED. Check the default configuration # vim /etc/openshift/web-proxy-config.json "ciphers" : "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:+3DES" it disabled the RC4. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-0489.html |