Bug 2139222

Summary: tlsSecurityProfile `Old` does not work on FIPS enabled cluster
Product: Container Native Virtualization (CNV) Reporter: Denys Shchedrivyi <dshchedr>
Component: VirtualizationAssignee: sgott
Status: CLOSED NOTABUG QA Contact: Kedar Bidarkar <kbidarka>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.12.0CC: sasundar
Target Milestone: ---   
Target Release: 4.13.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-25 13:23:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Denys Shchedrivyi 2022-11-01 21:41:28 UTC 
Description of problem:
 On a cluster with FIPS mode enabled  it is not possible to connect to virt-api with old TLS versions (v1.0 and v1.1). 

 I can set `tlsSecurityProfile: type: Old` and the configuration is successfully propagated to the Kubevirt: 


$ oc get kubevirt kubevirt-kubevirt-hyperconverged -n openshift-cnv -o json | jq .spec.configuration.tlsConfiguration
{
  "ciphers": [
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
    "TLS_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_RSA_WITH_AES_128_CBC_SHA256",
    "TLS_RSA_WITH_AES_128_CBC_SHA",
    "TLS_RSA_WITH_AES_256_CBC_SHA",
    "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
  ],
  "minTLSVersion": "VersionTLS10"
}


 But virt-api still allows only TLS v1.2:

$ nmap --script ssl-enum-ciphers -p 1443 127.0.0.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-01 17:31 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000078s latency).

PORT     STATE SERVICE
1443/tcp open  ies-lm
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 13.32 seconds





Version-Release number of selected component (if applicable):
4.12 cluster with FIPS mode enabled


Actual results:
 Only TLS v1.2 allowed even when "minTLSVersion" set to lower version

Expected results:
 Allow access with specified ciphers and `minTLSVersion` parameters

Additional info:
 If it is expected behavior for FIPS cluster - probably need to have a note in docs
Comment 2 SATHEESARAN 2023-01-23 10:55:28 UTC 
*** Bug 2161719 has been marked as a duplicate of this bug. ***
Comment 3 Kedar Bidarkar 2023-01-25 13:23:24 UTC 
FIPS requires, tLS version 1.2, which totally fine and expected behavior.

Will be closing this bug.