Description of problem: We need to have the ability to disable RC4 cipher on Openshift node web proxy (8443 port). Version-Release number of selected component (if applicable): 2.2 Additional info: Current work around would be to manually edit the http-utils.js file. --- /opt/rh/nodejs010/root/usr/lib/node_modules/openshift-node-web-proxy/lib/utils/http-utils.js 2016-01-14 19:08:44.514950556 -0500 +++ - 2016-01-14 19:08:58.258815213 -0500 @@ -36,6 +36,7 @@ ssl_opts.cert = fs.readFileSync(opts.certificate); ssl_opts.key = fs.readFileSync(opts.private_key); + ssl_opts.ciphers = "AES256-GCM-SHA384:!RC4"; proto_handler = https.createServer(ssl_opts); break; } We need the ability to modify ciphers in /etc/openshift/web-proxy-config.json
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/7dec6165f2e8d3ac3c7bf3b8b5dfaf7adfc7aa6e Specify cihper suite in node-web-proxy configuration Bug 1299014 https://bugzilla.redhat.com/show_bug.cgi?id=1299014 Additionally, remove forcing the use of SSLv2_3. Also add the node-web-proxy.json file as a configuration file. Note that a default was specified for the new ciphers option so that old configuration files without this option will not cause issues.
Due to https://bugzilla.redhat.com/show_bug.cgi?id=1302787#c5. Shall we fix in openshift-origin-node-proxy?
Check on puddle [2.2.9/2016-02-25.2] 1. change the "ciphers" configuration #vim /etc/openshift/web-proxy-config.json <--snip--> "private_key": "/etc/pki/tls/private/localhost.key", "ciphers" : "!IDEA:+3DES" <--snip--> 2. restart the service /etc/init.d/openshift-node-web-proxy restart 3. check the web-proxy log 1456813573207:INFO:[01/Mar/2016:14:26:13 -0800] - Creating protocol server for secure_http_proxy The ciphers config: !IDEA:+3DES 1456813573210:INFO:[01/Mar/2016:14:26:13 -0800] - Creating websocket server for secure_http_proxy The configuration take effect, move this issue to VERIFIED.
(In reply to Ma xiaoqiang from comment #6) > Check on puddle [2.2.9/2016-02-25.2] > > 1. change the "ciphers" configuration > #vim /etc/openshift/web-proxy-config.json > <--snip--> > "private_key": "/etc/pki/tls/private/localhost.key", > "ciphers" : "!IDEA:+3DES" > <--snip--> > > 2. restart the service > /etc/init.d/openshift-node-web-proxy restart > > 3. check the web-proxy log > 1456813573207:INFO:[01/Mar/2016:14:26:13 -0800] - Creating protocol server > for secure_http_proxy > The ciphers config: !IDEA:+3DES > 1456813573210:INFO:[01/Mar/2016:14:26:13 -0800] - Creating websocket server > for secure_http_proxy > > The configuration take effect, move this issue to VERIFIED. Check the default configuration # vim /etc/openshift/web-proxy-config.json "ciphers" : "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:+3DES" it disabled the RC4.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-0489.html