Bug 1429609 - [3.4] [RFE] Configurable minimum TLS version
Summary: [3.4] [RFE] Configurable minimum TLS version
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.4.z
Assignee: Jordan Liggitt
QA Contact: Meng Bo
URL:
Whiteboard:
Depends On: 1425941
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-06 16:54 UTC by Andy Goldstein
Modified: 2020-04-15 15:26 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Minimum TLS version and allowed ciphers are now configurable Reason: Allows specific deployments to be more or less restrictive than the default TLS configuration. Result: Older TLS versions can be allowed for compatibility with legacy environments, or more secure ciphers can be required for compliance with customer-specific security requirements.
Clone Of: 1425941
Environment:
Last Closed: 2017-03-15 20:04:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0512 0 normal SHIPPED_LIVE OpenShift Container Platform 3.4.1.10, 3.3.1.17, and 3.2.1.28 bug fix update 2017-03-16 00:01:17 UTC

Comment 1 Andy Goldstein 2017-03-06 16:55:52 UTC 
This is for 3.4.x. Will set target release appropriately when 3.4.2 is in the list
Comment 2 Andy Goldstein 2017-03-06 17:26:40 UTC 
Per dmcphers, setting target release to latest 3.4.x
Comment 7 Troy Dawson 2017-03-07 19:50:05 UTC 
This has been merged into ocp and is in OCP v3.4.1.10 or newer.
Comment 9 Meng Bo 2017-03-10 03:20:47 UTC 
Checked on v3.4.1.10

After change the master config as:


servingInfo:
  ...
  minTLSVersion: VersionTLS11
  cipherSuites:
  - TLS_RSA_WITH_3DES_EDE_CBC_SHA


The TLS and cipher related info can be configured.

 Start 2017-03-09 22:20:01    -->> 10.66.147.225:8443 (10.66.147.225) <<--

 rDNS (10.66.147.225):   --
 Service detected:       HTTP


 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2               not offered (OK)
 SSLv3               not offered (OK)
 TLS 1               not offered
 TLS 1.1             offered
 TLS 1.2             offered (OK)
 Version tolerance   downgraded to TLSv1.2 (OK)
 SPDY/NPN            http/1.1 (advertised)
 HTTP2/ALPN          Local problem: /usr/bin/openssl doesn't support HTTP2/ALPN


 Testing all locally available ciphers per protocol against the server, ordered by encryption strength 
    (Your /usr/bin/openssl cannot show DH/ECDH bits)

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits
------------------------------------------------------------------------
SSLv2 
SSLv3 
TLS 1 
TLS 1.1 
 x0a     DES-CBC3-SHA                      RSA        3DES      168       
TLS 1.2 
 x0a     DES-CBC3-SHA                      RSA        3DES      168       

 Done 2017-03-09 22:20:04    -->> 10.66.147.225:8443 (10.66.147.225) <<--
Comment 11 errata-xmlrpc 2017-03-15 20:04:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0512
Note You need to log in before you can comment on or make changes to this bug.