Bug 2153527

Summary: unlike other CNV components, Kubevirt uses its own cipher for tls 1.2
Product: Container Native Virtualization (CNV) Reporter: Kedar Bidarkar <kbidarka>
Component: VirtualizationAssignee: ffossemo
Status: CLOSED ERRATA QA Contact: zhe peng <zpeng>
Severity: high Docs Contact:
Priority: high    
Version: 4.12.0CC: acardace, dshchedr, sgott
Target Milestone: ---   
Target Release: 4.12.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: hco-bundle-registry-container-v4.12.3-3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2139235 Environment:
Last Closed: 2023-05-23 22:31:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2139235    
Bug Blocks:    

Description Kedar Bidarkar 2022-12-14 17:27:10 UTC 
+++ This bug was initially created as a clone of Bug #2139235 +++

Description of problem:
 HCO and SSP need to have ECDHE-ECDSA-AES128-GCM-SHA256 cipher enabled

 But Kubevirt needs ECDHE-RSA-AES128-GCM-SHA256 

 Not sure if it is by design, but personally I would think we need adhere to the same standard. 
 Currently, we have to be sure that both of these ciphers are present, otherwise some components become non-responding

Version-Release number of selected component (if applicable):
4.12

Actual results:
 CNV components use different ciphers

Expected results:
 CNV components use the same cipher

--- Additional comment from  on 2022-11-02 12:14:15 UTC ---

I'm guessing that the severity is "high". Rationale being we should err on the safe side.
Comment 3 ffossemo 2023-03-27 12:58:55 UTC 
@acardace The original bug https://bugzilla.redhat.com/show_bug.cgi?id=2139235 was fixed and verified. This is a duplicate IMO.
Comment 4 ffossemo 2023-03-27 13:33:01 UTC 
My bad, different target release
Comment 5 zhe peng 2023-04-28 03:33:45 UTC 
verify with build: CNV-v4.12.3-49

check all cnv components service ciphers(
hco-webhook-service,
kubevirt-operator-webhook,
ssp-operator-service,
virt-api)

....
PORT     STATE SERVICE
1443/tcp open  ies-lm
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: server
....

 move to verified.
Comment 11 errata-xmlrpc 2023-05-23 22:31:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Virtualization 4.12.3 Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:3283
Comment 12 Red Hat Bugzilla 2023-09-21 04:25:05 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days