Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1299014

Summary: [RFE] Configuration setting to set cipher on Openshift node web proxy
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: SecurityAssignee: Rory Thrasher <rthrashe>
Status: CLOSED ERRATA QA Contact: Xiaoli Tian <xtian>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.2.0CC: anli, erich, jialiu, jokerman, lmeyer, mmccomas, rthrashe, tiwillia, xiama
Target Milestone: ---Flags: anli: needinfo-
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openshift-origin-node-proxy-1.26.2.1-1.el6op Doc Type: Enhancement
Doc Text:
Feature: Allow the cipher suite used for the node web proxy to be configured. Reason: Certain ciphers may need to be disabled or enabled depending on an organization's security policies. Result: The cihper suite can now be configuration in the /etc/openshfit/node-web-proxy.json configuration file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-22 16:54:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2016-01-15 17:17:11 UTC 
Description of problem:

We need to have the ability to disable RC4 cipher on Openshift node web proxy (8443 port).


Version-Release number of selected component (if applicable):
2.2


Additional info:

Current work around would be to manually edit the http-utils.js file. 


--- /opt/rh/nodejs010/root/usr/lib/node_modules/openshift-node-web-proxy/lib/utils/http-utils.js        2016-01-14 19:08:44.514950556 -0500
+++ -   2016-01-14 19:08:58.258815213 -0500
@@ -36,6 +36,7 @@
       ssl_opts.cert = fs.readFileSync(opts.certificate);
       ssl_opts.key  = fs.readFileSync(opts.private_key);
 
+      ssl_opts.ciphers = "AES256-GCM-SHA384:!RC4";
       proto_handler = https.createServer(ssl_opts);
       break;
   }


We need the ability to modify ciphers in /etc/openshift/web-proxy-config.json
Comment 1 openshift-github-bot 2016-01-28 03:50:34 UTC 
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/7dec6165f2e8d3ac3c7bf3b8b5dfaf7adfc7aa6e
Specify cihper suite in node-web-proxy configuration

Bug 1299014
https://bugzilla.redhat.com/show_bug.cgi?id=1299014

Additionally, remove forcing the use of SSLv2_3. Also add the node-web-proxy.json file as a configuration file. Note that a default was specified for the new ciphers option so that old configuration files without this option will not cause issues.
Comment 5 Anping Li 2016-02-24 05:41:19 UTC 
Due to https://bugzilla.redhat.com/show_bug.cgi?id=1302787#c5. Shall we fix in openshift-origin-node-proxy?
Comment 6 Ma xiaoqiang 2016-03-01 06:31:46 UTC 
Check on puddle [2.2.9/2016-02-25.2]

1. change the "ciphers"  configuration
#vim /etc/openshift/web-proxy-config.json
<--snip-->
        "private_key": "/etc/pki/tls/private/localhost.key",
        "ciphers"    : "!IDEA:+3DES"
<--snip-->

2. restart the service
/etc/init.d/openshift-node-web-proxy restart

3. check the web-proxy log
1456813573207:INFO:[01/Mar/2016:14:26:13 -0800] - Creating protocol server for secure_http_proxy
The ciphers config:  !IDEA:+3DES
1456813573210:INFO:[01/Mar/2016:14:26:13 -0800] - Creating websocket server for secure_http_proxy

The configuration take effect, move this issue to VERIFIED.
Comment 7 Ma xiaoqiang 2016-03-01 06:41:53 UTC 
(In reply to Ma xiaoqiang from comment #6)
> Check on puddle [2.2.9/2016-02-25.2]
> 
> 1. change the "ciphers"  configuration
> #vim /etc/openshift/web-proxy-config.json
> <--snip-->
>         "private_key": "/etc/pki/tls/private/localhost.key",
>         "ciphers"    : "!IDEA:+3DES"
> <--snip-->
> 
> 2. restart the service
> /etc/init.d/openshift-node-web-proxy restart
> 
> 3. check the web-proxy log
> 1456813573207:INFO:[01/Mar/2016:14:26:13 -0800] - Creating protocol server
> for secure_http_proxy
> The ciphers config:  !IDEA:+3DES
> 1456813573210:INFO:[01/Mar/2016:14:26:13 -0800] - Creating websocket server
> for secure_http_proxy
> 
> The configuration take effect, move this issue to VERIFIED.

Check the default configuration
# vim /etc/openshift/web-proxy-config.json
"ciphers"    : "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:+3DES"

it disabled the RC4.
Comment 9 errata-xmlrpc 2016-03-22 16:54:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-0489.html