Bug 2130695
| Summary: | crypto-policy : Logging Improvement and publish the source of ciphers | ||
|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | Geetika Kapoor <gkapoor> |
| Component: | Infrastructure | Assignee: | Dominik Holler <dholler> |
| Status: | CLOSED ERRATA | QA Contact: | Geetika Kapoor <gkapoor> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.12.0 | CC: | dholler, ycui |
| Target Milestone: | --- | ||
| Target Release: | 4.12.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | v4.12.0-714 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-24 13:41:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Test Env:
Deployed: OCP-4.12.0-rc.4
Deployed: CNV-v4.12.0-758
Test Cases:
What works
Test Case 1: ON SSP, set Modern
tlsSecurityProfile:
modern: {}
type: Modern
oc logs ssp-operator-56569f8cbd-nvj26 -n openshift-cnv| grep cipher
{"level":"info","ts":1670788666.9830906,"logger":"setup tls options","msg":"Got Ciphers and tlsProfile:","ciphers: ":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256"],"tlsProfile: ":"VersionTLS13"}
Test Case 2: On SSP, set Old But HCO points to modern
$ oc logs ssp-operator-56569f8cbd-nvj26 -n openshift-cnv --follow=true| grep cipher
{"level":"info","ts":1671105027.098432,"logger":"setup tls options","msg":"Got Ciphers and tlsProfile:","ciphers: ":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256","ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA","ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384","ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA","DHE-RSA-AES128-SHA256","DHE-RSA-AES256-SHA256","AES128-GCM-SHA256","AES256-GCM-SHA384","AES128-SHA256","AES256-SHA256","AES128-SHA","AES256-SHA","DES-CBC3-SHA"],"tlsProfile: ":"VersionTLS10"} ======> THis should be minTLSVersion
{"level":"info","ts":1671105027.0985553,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"}
{"level":"info","ts":1671105027.0985746,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}
{"level":"info","ts":1671105027.098589,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_RSA_WITH_AES_128_CBC_SHA256"}
{"level":"info","ts":1671105027.0986006,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
{"level":"info","ts":1671105032.0398319,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"}
{"level":"info","ts":1671105032.0398426,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}
{"level":"info","ts":1671105032.039861,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_RSA_WITH_AES_128_CBC_SHA256"}
{"level":"info","ts":1671105032.0398755,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_RSA_WITH_3DES_EDE_CBC_SHA"}
{"level":"info","ts":1671105032.0398805,"logger":"setup","msg":"Configured ciphers","ciphers":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,156,157,47,53]} =====> CAN BE MORE USER FRIENDLY
Reverts back to modern.
$ oc logs ssp-operator-56569f8cbd-nvj26 -n openshift-cnv| grep cipher
{"level":"info","ts":1671104814.0942738,"logger":"setup tls options","msg":"Got Ciphers and tlsProfile:","ciphers: ":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256"],"tlsProfile: ":"VersionTLS13"}
{"level":"info","ts":1671104819.0134308,"logger":"setup","msg":"Configured ciphers","ciphers":[]}
What doesn't work
1. Cipher switch that happens and when ciphers are overwritten by apiserver or hco and reason for switch
2. Doesn't show handshake process logs for good/bad sessions
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:0408 |
Description of problem: SSP logging at the moment show {"level":"info","ts":1664398497.9982593,"logger":"setup","msg":"Got Ciphers and tlsProfile:","ciphers: ":["DHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES128-GCM-SHA256"],"tlsProfile: ":"VersionTLS12"} It doesn't show from which source the ciphers are being enforced. In this case, i got the ciphers from APIServer and not from HCO as HCO doesn't have tlsSecurityProfile set. It will be good to know the source of getting ciphers and other details like TLS session based information. Example : [cnv-qe-jenkins@c01-gkcrypt26-xr7zz-executor ~]$ oc get apiserver cluster -ojsonpath={.spec.tlsSecurityProfile} {"custom":{"ciphers":["DHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES128-GCM-SHA256"],"minTLSVersion":"VersionTLS12 [cnv-qe-jenkins@c01-gkcrypt26-xr7zz-executor ~]$ oc get hco kubevirt-hyperconverged -ojsonpath={.spec.tlsSecurityProfile} [cnv-qe-jenkins@c01-gkcrypt26-xr7zz-executor ~]$ oc get ssp ssp-kubevirt-hyperconverged -ojsonpath={.spec.tlsSecurityProfile} {"custom":{"ciphers":["DHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES128-GCM-SHA256"],"minTLSVersion":"VersionTLS12"},"type":"Custom"} Version-Release number of selected component (if applicable): 4.12 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Logging Improvement needed Expected results: Logging Improvement to help users to get useful information at one place and easily accessible using must-gather Additional info: