| Summary: | Non-SSL routes should not serve certificate content. | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Eric Rich <erich> |
| Component: | RFE | Assignee: | Phil Cameron <pcameron> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Yan Du <yadu> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 3.2.1 | CC: | aos-bugs, atragler, bbennett, bmeng, eparis, jokerman, mmccomas, mnewby, pdwyer, sjr, yadu |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: |
Feature: suppresses use of the default certificate. Adds oc adm router--strict-sni option and ROUTER_STRICT_SNI environment variable. When set, default cert is not used.
Reason:
Result:
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-16 19:37:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Eric Rich
2016-08-24 14:47:54 UTC
The current behavior is intended. Any traffic that hits the router on ports 80 or 443 (or whatever you configured the ports to) gets a response. So, since the traffic came in on port 443, but there was no secure route that matched the request, we send back an HTTP 503 response to say that there is no matching service. However, your complaint is that we are leaking certificate information that gives information out about the secure hosts. I assume you don't want to put the cert in each of the tls routes you create. You might be best off using a custom template for now: https://docs.openshift.com/enterprise/3.2/install_config/install/deploy_router.html#using-configmap-replace-template (But watch out, the 3.3 template may change incompatibly, so keep the original template so you can see your changes) It looks like you are asking for a way to say if a route doesn't match, don't return 503, but instead drop the connection? Since this is not a regression, we will try to get to it, but may not in 3.4. Why is this showing up as a blocker? We are unlikely to make this change... it feels like bad policy to do this in general. If the user wants to change the configuration of the router themselves they can replace the built-in config with a slightly customized version that does this: https://docs.openshift.com/container-platform/3.3/install_config/router/customized_haproxy_router.html origin PR 14621 https://github.com/openshift/origin/pull/14621 Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/e8638ae594a7668805e2489198ceaabea8d05c6c Donot serve certificate content for Non-SSL routes By default, when a host does not resolve to a route in a HTTPS or tls sni request, the default cert is returned to the caller as part of the 503 response. This exposes the default cert and may pose security concerns. Haproxy strict-sni option to bind suppresses use of the default cert. This adds a new environment variable to the router deployment controller, ROUTER_STRICT_SNI, to control bind processing. When set to "true" or "TRUE", "strict-sni" is added to the bind. Default is "false". oc adm router --strict-sni sets ROUTER_STRICT_SNI="true" bug 1369865 https://bugzilla.redhat.com/show_bug.cgi?id=1369865 openshift-docs PR 45955 https://github.com/openshift/openshift-docs/pull/4595 Docs PR is 4595 (ignore the extra 5 at the end in comment 10 Commit pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/d12fee251045692aceacd7796e032078fe8f5c29 Do not serve certificate content for Non-SSL routes Openshift 3.6 By default, when a host does not resolve to a route in a HTTPS or tls sni request, the default cert is returned to the caller as part of the 503 response. This exposes the default cert and may pose security concerns. Haproxy strict-sni option to bind suppresses use of the default cert. This adds a new environment variable to the router deployment controller, ROUTER_STRICT_SNI, to control bind processing. When set to "true" or "TRUE", "strict-sni" is added to the bind. Default is "false". oc adm router --strict-sni sets ROUTER_STRICT_SNI="true" origin PR 14621 https://github.com/openshift/origin/pull/14621 bug 1369865 https://bugzilla.redhat.com/show_bug.cgi?id=1369865 Test on latest OCP 3.6.126.1, ROUTER_STRICT_SNI works well,could not get the serve certificate content for no-ssl routes when enable ROUTER_STRICT_SNI. Test on latest OCP-3.6, ROUTER_STRICT_SNI works well. openshift v3.6.133 kubernetes v1.6.1+5115d708d7 etcd 3.2.1 |