Bug 1823852

Summary: Port 22623 will negotiate down to TLS1.1 on master and bootstrap nodes.
Product: OpenShift Container Platform Reporter: Chad Scribner <cscribne>
Component: Machine Config OperatorAssignee: Antonio Murdaca <amurdaca>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: medium Docs Contact:
Priority: high    
Version: 4.3.0CC: amurdaca
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1827539 (view as bug list) Environment:
Last Closed: 2020-07-13 17:27:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1827539    

Comment 9 Michael Nguyen 2020-04-29 17:07:58 UTC 
Verified on 4.5.0-0.nightly-2020-04-28-045946.  openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -cipher $(openssl ciphers) -connect localhost:22623 only allows connections using TLS1.2 and above.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.5.0-0.nightly-2020-04-28-045946   True        False         130m    Cluster version is 4.5.0-0.nightly-2020-04-28-045946
$ oc get node
NAME                                         STATUS   ROLES    AGE    VERSION
ip-10-0-133-67.us-west-2.compute.internal    Ready    master   152m   v1.18.0-rc.1
ip-10-0-134-255.us-west-2.compute.internal   Ready    worker   142m   v1.18.0-rc.1
ip-10-0-154-202.us-west-2.compute.internal   Ready    worker   142m   v1.18.0-rc.1
ip-10-0-155-175.us-west-2.compute.internal   Ready    master   156m   v1.18.0-rc.1
ip-10-0-172-82.us-west-2.compute.internal    Ready    master   152m   v1.18.0-rc.1
ip-10-0-173-79.us-west-2.compute.internal    Ready    worker   142m   v1.18.0-rc.1
$ oc debug node/ip-10-0-133-67.us-west-2.compute.internal
Starting pod/ip-10-0-133-67us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# openssl ciphers
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-CCM:AES128-GCM-SHA256:AES128-CCM:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM:PSK-AES128-GCM-SHA256:PSK-AES128-CCM:PSK-AES256-CBC-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM:DHE-PSK-AES256-CBC-SHA:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA
sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -cipher $(openssl ciphers) -connect localhost:22623
Comment 11 errata-xmlrpc 2020-07-13 17:27:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409