Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1429609 - [3.4] [RFE] Configurable minimum TLS version
[3.4] [RFE] Configurable minimum TLS version
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
3.4.0
Unspecified Unspecified
high Severity high
: ---
: 3.4.z
Assigned To: Jordan Liggitt
Meng Bo
: NeedsTestCase
Depends On: 1425941
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-06 11:54 EST by Andy Goldstein
Modified: 2017-08-06 15:28 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Minimum TLS version and allowed ciphers are now configurable Reason: Allows specific deployments to be more or less restrictive than the default TLS configuration. Result: Older TLS versions can be allowed for compatibility with legacy environments, or more secure ciphers can be required for compliance with customer-specific security requirements.
Story Points: ---
Clone Of: 1425941
Environment:
Last Closed: 2017-03-15 16:04:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0512 normal SHIPPED_LIVE OpenShift Container Platform 3.4.1.10, 3.3.1.17, and 3.2.1.28 bug fix update 2017-03-15 20:01:17 EDT

  None (edit)
Comment 1 Andy Goldstein 2017-03-06 11:55:52 EST 
This is for 3.4.x. Will set target release appropriately when 3.4.2 is in the list
Comment 2 Andy Goldstein 2017-03-06 12:26:40 EST 
Per dmcphers, setting target release to latest 3.4.x
Comment 7 Troy Dawson 2017-03-07 14:50:05 EST 
This has been merged into ocp and is in OCP v3.4.1.10 or newer.
Comment 9 Meng Bo 2017-03-09 22:20:47 EST 
Checked on v3.4.1.10

After change the master config as:


servingInfo:
  ...
  minTLSVersion: VersionTLS11
  cipherSuites:
  - TLS_RSA_WITH_3DES_EDE_CBC_SHA


The TLS and cipher related info can be configured.

 Start 2017-03-09 22:20:01    -->> 10.66.147.225:8443 (10.66.147.225) <<--

 rDNS (10.66.147.225):   --
 Service detected:       HTTP


 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2               not offered (OK)
 SSLv3               not offered (OK)
 TLS 1               not offered
 TLS 1.1             offered
 TLS 1.2             offered (OK)
 Version tolerance   downgraded to TLSv1.2 (OK)
 SPDY/NPN            http/1.1 (advertised)
 HTTP2/ALPN          Local problem: /usr/bin/openssl doesn't support HTTP2/ALPN


 Testing all locally available ciphers per protocol against the server, ordered by encryption strength 
    (Your /usr/bin/openssl cannot show DH/ECDH bits)

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits
------------------------------------------------------------------------
SSLv2 
SSLv3 
TLS 1 
TLS 1.1 
 x0a     DES-CBC3-SHA                      RSA        3DES      168       
TLS 1.2 
 x0a     DES-CBC3-SHA                      RSA        3DES      168       

 Done 2017-03-09 22:20:04    -->> 10.66.147.225:8443 (10.66.147.225) <<--
Comment 11 errata-xmlrpc 2017-03-15 16:04:15 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0512
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.