Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1429609

Summary: [3.4] [RFE] Configurable minimum TLS version
Product: OpenShift Container Platform Reporter: Andy Goldstein <agoldste>
Component: RFEAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED ERRATA QA Contact: Meng Bo <bmeng>
Severity: high Docs Contact:
Priority: high    
Version: 3.4.0CC: agoldste, aos-bugs, asolanas, bleanhar, jliggitt, jokerman, meggen, mmccomas, stwalter, tdawson, wsun, xtian
Target Milestone: ---Keywords: NeedsTestCase
Target Release: 3.4.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Minimum TLS version and allowed ciphers are now configurable Reason: Allows specific deployments to be more or less restrictive than the default TLS configuration. Result: Older TLS versions can be allowed for compatibility with legacy environments, or more secure ciphers can be required for compliance with customer-specific security requirements.
 Story Points: ---
Clone Of: 1425941 Environment:
Last Closed: 2017-03-15 20:04:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1425941    
Bug Blocks:    

Comment 1 Andy Goldstein 2017-03-06 16:55:52 UTC 
This is for 3.4.x. Will set target release appropriately when 3.4.2 is in the list
Comment 2 Andy Goldstein 2017-03-06 17:26:40 UTC 
Per dmcphers, setting target release to latest 3.4.x
Comment 7 Troy Dawson 2017-03-07 19:50:05 UTC 
This has been merged into ocp and is in OCP v3.4.1.10 or newer.
Comment 9 Meng Bo 2017-03-10 03:20:47 UTC 
Checked on v3.4.1.10

After change the master config as:


servingInfo:
  ...
  minTLSVersion: VersionTLS11
  cipherSuites:
  - TLS_RSA_WITH_3DES_EDE_CBC_SHA


The TLS and cipher related info can be configured.

 Start 2017-03-09 22:20:01    -->> 10.66.147.225:8443 (10.66.147.225) <<--

 rDNS (10.66.147.225):   --
 Service detected:       HTTP


 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2               not offered (OK)
 SSLv3               not offered (OK)
 TLS 1               not offered
 TLS 1.1             offered
 TLS 1.2             offered (OK)
 Version tolerance   downgraded to TLSv1.2 (OK)
 SPDY/NPN            http/1.1 (advertised)
 HTTP2/ALPN          Local problem: /usr/bin/openssl doesn't support HTTP2/ALPN


 Testing all locally available ciphers per protocol against the server, ordered by encryption strength 
    (Your /usr/bin/openssl cannot show DH/ECDH bits)

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits
------------------------------------------------------------------------
SSLv2 
SSLv3 
TLS 1 
TLS 1.1 
 x0a     DES-CBC3-SHA                      RSA        3DES      168       
TLS 1.2 
 x0a     DES-CBC3-SHA                      RSA        3DES      168       

 Done 2017-03-09 22:20:04    -->> 10.66.147.225:8443 (10.66.147.225) <<--
Comment 11 errata-xmlrpc 2017-03-15 20:04:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0512