1387789 – [RFE] Allow override of TLS ciphers to avoid clients connecting and being vulnerable to CVE-2011-3389

Bug 1387789 - [RFE] Allow override of TLS ciphers to avoid clients connecting and being vulnerable to CVE-2011-3389

Summary: [RFE] Allow override of TLS ciphers to avoid clients connecting and being vul...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RFE
Sub Component:
Version:	3.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Paul Weil
QA Contact:	Xiaoli Tian
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-21 22:10 UTC by Ryan Howe
Modified:	2020-05-14 15:21 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-04-27 18:47:16 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ryan Howe 2016-10-21 22:10:26 UTC

Description of problem:

Allow override of TLS ciphers to avoid clients connecting and being vulnerable to CVE-2011-3389. As CBC ciphers are vulnerable with tlsv1 this should be configurable. 

https://github.com/openshift/origin/blob/master/pkg/cmd/server/crypto/crypto.go#L34

Version-Release number of selected component (if applicable):
3.3

Comment 1 Jordan Liggitt 2016-10-21 23:57:45 UTC

Upstream is already at tls1.2. All supported browsers support that as well. 

https://github.com/openshift/origin/issues/11495 is open to test switching to that

Note You need to log in before you can comment on or make changes to this bug.