Bug 1747461

Summary: The router in OCP4 accepts TLS1.0 and TLS1.1 connections with no way to disable them [4.1 backport]
Product: OpenShift Container Platform Reporter: Ben Bennett <bbennett>
Component: NetworkingAssignee: Dan Mace <dmace>
Networking sub component: router QA Contact: Hongan Li <hongli>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aos-bugs, bbennett, bmontgom, ccoleman, dmace, hongli, knewcome, mcurry, whearn
Version: 4.1.z   
Target Milestone: ---   
Target Release: 4.1.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1746467 Environment:
Last Closed: 2019-09-25 07:27:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1746467    
Bug Blocks: 1778856    

Comment 2 Hongan Li 2019-09-19 02:34:19 UTC 
Verified with 4.1.0-0.nightly-2019-09-18-220022 and issue has been fixed.

$ openssl s_client -connect <web console route>:443 -tls1
CONNECTED(00000003)
139802301896512:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1535:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 187 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported

$ openssl s_client -connect <web console route>:443 -tls1_1
CONNECTED(00000003)
139675855472448:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1535:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 187 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported


Check haproxy.config:
  # Configure the TLS versions we support
  ssl-default-bind-options ssl-min-ver TLSv1.2
Comment 4 errata-xmlrpc 2019-09-25 07:27:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2820