Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1299014 - [RFE] Configuration setting to set cipher on Openshift node web proxy
[RFE] Configuration setting to set cipher on Openshift node web proxy
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Security (Show other bugs)
2.2.0
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Rory Thrasher
Xiaoli Tian
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-15 12:17 EST by Ryan Howe
Modified: 2016-10-14 15:51 EDT (History)
9 users (show)

See Also:
Fixed In Version: openshift-origin-node-proxy-1.26.2.1-1.el6op
Doc Type: Enhancement
Doc Text:
Feature: Allow the cipher suite used for the node web proxy to be configured. Reason: Certain ciphers may need to be disabled or enabled depending on an organization's security policies. Result: The cihper suite can now be configuration in the /etc/openshfit/node-web-proxy.json configuration file.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-22 12:54:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
anli: needinfo-

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0489 normal SHIPPED_LIVE Important: Red Hat OpenShift Enterprise 2.2.9 security, bug fix, and enhancement update 2016-03-22 16:49:04 EDT

  None (edit)
Description Ryan Howe 2016-01-15 12:17:11 EST 
Description of problem:

We need to have the ability to disable RC4 cipher on Openshift node web proxy (8443 port).


Version-Release number of selected component (if applicable):
2.2


Additional info:

Current work around would be to manually edit the http-utils.js file. 


--- /opt/rh/nodejs010/root/usr/lib/node_modules/openshift-node-web-proxy/lib/utils/http-utils.js        2016-01-14 19:08:44.514950556 -0500
+++ -   2016-01-14 19:08:58.258815213 -0500
@@ -36,6 +36,7 @@
       ssl_opts.cert = fs.readFileSync(opts.certificate);
       ssl_opts.key  = fs.readFileSync(opts.private_key);
 
+      ssl_opts.ciphers = "AES256-GCM-SHA384:!RC4";
       proto_handler = https.createServer(ssl_opts);
       break;
   }


We need the ability to modify ciphers in /etc/openshift/web-proxy-config.json
Comment 1 openshift-github-bot 2016-01-27 22:50:34 EST 
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/7dec6165f2e8d3ac3c7bf3b8b5dfaf7adfc7aa6e
Specify cihper suite in node-web-proxy configuration

Bug 1299014
https://bugzilla.redhat.com/show_bug.cgi?id=1299014

Additionally, remove forcing the use of SSLv2_3. Also add the node-web-proxy.json file as a configuration file. Note that a default was specified for the new ciphers option so that old configuration files without this option will not cause issues.
Comment 5 Anping Li 2016-02-24 00:41:19 EST 
Due to https://bugzilla.redhat.com/show_bug.cgi?id=1302787#c5. Shall we fix in openshift-origin-node-proxy?
Comment 6 Ma xiaoqiang 2016-03-01 01:31:46 EST 
Check on puddle [2.2.9/2016-02-25.2]

1. change the "ciphers"  configuration
#vim /etc/openshift/web-proxy-config.json
<--snip-->
        "private_key": "/etc/pki/tls/private/localhost.key",
        "ciphers"    : "!IDEA:+3DES"
<--snip-->

2. restart the service
/etc/init.d/openshift-node-web-proxy restart

3. check the web-proxy log
1456813573207:INFO:[01/Mar/2016:14:26:13 -0800] - Creating protocol server for secure_http_proxy
The ciphers config:  !IDEA:+3DES
1456813573210:INFO:[01/Mar/2016:14:26:13 -0800] - Creating websocket server for secure_http_proxy

The configuration take effect, move this issue to VERIFIED.
Comment 7 Ma xiaoqiang 2016-03-01 01:41:53 EST 
(In reply to Ma xiaoqiang from comment #6)
> Check on puddle [2.2.9/2016-02-25.2]
> 
> 1. change the "ciphers"  configuration
> #vim /etc/openshift/web-proxy-config.json
> <--snip-->
>         "private_key": "/etc/pki/tls/private/localhost.key",
>         "ciphers"    : "!IDEA:+3DES"
> <--snip-->
> 
> 2. restart the service
> /etc/init.d/openshift-node-web-proxy restart
> 
> 3. check the web-proxy log
> 1456813573207:INFO:[01/Mar/2016:14:26:13 -0800] - Creating protocol server
> for secure_http_proxy
> The ciphers config:  !IDEA:+3DES
> 1456813573210:INFO:[01/Mar/2016:14:26:13 -0800] - Creating websocket server
> for secure_http_proxy
> 
> The configuration take effect, move this issue to VERIFIED.

Check the default configuration
# vim /etc/openshift/web-proxy-config.json
"ciphers"    : "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:+3DES"

it disabled the RC4.
Comment 9 errata-xmlrpc 2016-03-22 12:54:00 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-0489.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.