Bug 1387789

Summary: [RFE] Allow override of TLS ciphers to avoid clients connecting and being vulnerable to CVE-2011-3389
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: RFEAssignee: Paul Weil <pweil>
Status: CLOSED NOTABUG QA Contact: Xiaoli Tian <xtian>
Severity: high Docs Contact:
Priority: high    
Version: 3.3.0CC: aos-bugs, erich, javier.ramirez, jialiu, jliggitt, jokerman, lmeyer, mbarrett, mmccomas, pdwyer, sjr, xtian
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-27 18:47:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ryan Howe 2016-10-21 22:10:26 UTC 
Description of problem:

Allow override of TLS ciphers to avoid clients connecting and being vulnerable to CVE-2011-3389. As CBC ciphers are vulnerable with tlsv1 this should be configurable. 

https://github.com/openshift/origin/blob/master/pkg/cmd/server/crypto/crypto.go#L34

Version-Release number of selected component (if applicable):
3.3
Comment 1 Jordan Liggitt 2016-10-21 23:57:45 UTC 
Upstream is already at tls1.2. All supported browsers support that as well. 

https://github.com/openshift/origin/issues/11495 is open to test switching to that