Bug 1299014
| Summary: | [RFE] Configuration setting to set cipher on Openshift node web proxy | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Ryan Howe <rhowe> |
| Component: | Security | Assignee: | Rory Thrasher <rthrashe> |
| Status: | CLOSED ERRATA | QA Contact: | Xiaoli Tian <xtian> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.2.0 | CC: | anli, erich, jialiu, jokerman, lmeyer, mmccomas, rthrashe, tiwillia, xiama |
| Target Milestone: | --- | Flags: | anli:
needinfo-
|
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openshift-origin-node-proxy-1.26.2.1-1.el6op | Doc Type: | Enhancement |
| Doc Text: |
Feature: Allow the cipher suite used for the node web proxy to be configured.
Reason: Certain ciphers may need to be disabled or enabled depending on an organization's security policies.
Result: The cihper suite can now be configuration in the /etc/openshfit/node-web-proxy.json configuration file.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-22 16:54:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/7dec6165f2e8d3ac3c7bf3b8b5dfaf7adfc7aa6e Specify cihper suite in node-web-proxy configuration Bug 1299014 https://bugzilla.redhat.com/show_bug.cgi?id=1299014 Additionally, remove forcing the use of SSLv2_3. Also add the node-web-proxy.json file as a configuration file. Note that a default was specified for the new ciphers option so that old configuration files without this option will not cause issues. Due to https://bugzilla.redhat.com/show_bug.cgi?id=1302787#c5. Shall we fix in openshift-origin-node-proxy? Check on puddle [2.2.9/2016-02-25.2]
1. change the "ciphers" configuration
#vim /etc/openshift/web-proxy-config.json
<--snip-->
"private_key": "/etc/pki/tls/private/localhost.key",
"ciphers" : "!IDEA:+3DES"
<--snip-->
2. restart the service
/etc/init.d/openshift-node-web-proxy restart
3. check the web-proxy log
1456813573207:INFO:[01/Mar/2016:14:26:13 -0800] - Creating protocol server for secure_http_proxy
The ciphers config: !IDEA:+3DES
1456813573210:INFO:[01/Mar/2016:14:26:13 -0800] - Creating websocket server for secure_http_proxy
The configuration take effect, move this issue to VERIFIED.
(In reply to Ma xiaoqiang from comment #6) > Check on puddle [2.2.9/2016-02-25.2] > > 1. change the "ciphers" configuration > #vim /etc/openshift/web-proxy-config.json > <--snip--> > "private_key": "/etc/pki/tls/private/localhost.key", > "ciphers" : "!IDEA:+3DES" > <--snip--> > > 2. restart the service > /etc/init.d/openshift-node-web-proxy restart > > 3. check the web-proxy log > 1456813573207:INFO:[01/Mar/2016:14:26:13 -0800] - Creating protocol server > for secure_http_proxy > The ciphers config: !IDEA:+3DES > 1456813573210:INFO:[01/Mar/2016:14:26:13 -0800] - Creating websocket server > for secure_http_proxy > > The configuration take effect, move this issue to VERIFIED. Check the default configuration # vim /etc/openshift/web-proxy-config.json "ciphers" : "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:+3DES" it disabled the RC4. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-0489.html |
Description of problem: We need to have the ability to disable RC4 cipher on Openshift node web proxy (8443 port). Version-Release number of selected component (if applicable): 2.2 Additional info: Current work around would be to manually edit the http-utils.js file. --- /opt/rh/nodejs010/root/usr/lib/node_modules/openshift-node-web-proxy/lib/utils/http-utils.js 2016-01-14 19:08:44.514950556 -0500 +++ - 2016-01-14 19:08:58.258815213 -0500 @@ -36,6 +36,7 @@ ssl_opts.cert = fs.readFileSync(opts.certificate); ssl_opts.key = fs.readFileSync(opts.private_key); + ssl_opts.ciphers = "AES256-GCM-SHA384:!RC4"; proto_handler = https.createServer(ssl_opts); break; } We need the ability to modify ciphers in /etc/openshift/web-proxy-config.json