Bug 1465572

Summary: [RFE] allow to set TLS cipher suite for the router
Product: OpenShift Container Platform Reporter: Sergi Jimenez Romero <sjr>
Component: NetworkingAssignee: Phil Cameron <pcameron>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: unspecified CC: aos-bugs, bbennett, pcameron, tparsons
Version: 3.5.0   
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: docs pr 4587 Reason: Result:
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 21:58:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sergi Jimenez Romero 2017-06-27 16:25:55 UTC 
3. What is the nature and description of the request?  

The aim is to be able to specify a cipher list on the HAProxy router.

4. Why does the customer need this? (List the business requirements here) 

For having an easier way to comply with their business security requirements.

5. How would the customer like to achieve this? (List the functional requirements here)  

Environment variable or annotations.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

Setting a cipher suite and checking whether router answers only to the ones listed.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  

Yes, https://github.com/openshift/origin/pull/14505 (Merged)

10. List any affected packages or components.
router
Comment 3 Phil Cameron 2017-07-10 18:25:52 UTC 
Allow specifying haproxy SSL Cipher list #14505
Comment 4 zhaozhanqi 2017-07-11 01:11:52 UTC 
@Phil Cameron

this bug already fixed some days before and was merged in 3.6. could you help move to 'ON_QA' and I will verified it. thanks.
Comment 5 Phil Cameron 2017-07-11 13:29:00 UTC 
This work was originally done implementing a Trello card. I found the bug and tied it to this work.
Comment 6 zhaozhanqi 2017-07-12 02:27:17 UTC 
verified this bug on openshift v3.6.136

steps: 

1. set the env for router ROUTER_CIPHERS={modern,old,intermediate}, eg

   oc env dc router ROUTER_CIPHERS=modern

2. Create ppd, service,edge/reencrypt route
3. Check the route is using the special cipher.
   curl https://$route -v
Comment 12 errata-xmlrpc 2017-11-28 21:58:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188