Bug 1571401

Summary: [RFE] Ability to disable TLS versions via router variables.
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: RFEAssignee: Ben Bennett <bbennett>
Status: CLOSED DEFERRED QA Contact: Xiaoli Tian <xtian>
Severity: medium Docs Contact:
Priority: high    
Version: 3.9.0CC: alchan, aos-bugs, bbennett, erich, jokerman, maupadhy, mmccomas, mmckinst, prsharma, sreber
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-14 15:29:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2018-04-24 17:06:26 UTC 
Description of problem:

Disable tlsv1.0 and/or tlsv1.1 via Router variable versus needing to customize the router template. 

https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L52

Set this line if disabling tls versions. 

   ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11


Maybe the change would look like this: 

3.7+ 
  ssl-default-bind-options no-sslv3 {{- if isTrue (env "DISABLE_TLSv10") no-tlsv10}} {{- end }} {{- if isTrue (env "DISABLE_TLSv11") no-tlsv11}} {{- end }}

3.6 or less
 ssl-default-bind-options no-sslv3 {{- if matchPattern "true|TRUE"  (env "DISABLE_TLSv10" "") }} no-tlsv10 {{- end }} {{- if  matchPattern "true|TRUE" (env "DISABLE_TLSv11" "") }} no-tlsv11 {{- end }}
Comment 2 Marc Curry 2019-04-18 22:34:14 UTC 
*** Bug 1570002 has been marked as a duplicate of this bug. ***
Comment 4 Rory Thrasher 2019-06-11 21:17:04 UTC 
Red Hat is moving OpenShift feature requests to a new JIRA RFE system. This bz (RFE) has been identified as a feature request which is still being evaluated and has been moved.

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.

https://.jira.coreos.com/browse/RFE-167