Red Hat Bugzilla – Bug 1465572
[RFE] allow to set TLS cipher suite for the router
Last modified: 2018-04-12 05:16:01 EDT
3. What is the nature and description of the request? The aim is to be able to specify a cipher list on the HAProxy router. 4. Why does the customer need this? (List the business requirements here) For having an easier way to comply with their business security requirements. 5. How would the customer like to achieve this? (List the functional requirements here) Environment variable or annotations. 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. Setting a cipher suite and checking whether router answers only to the ones listed. 7. Is there already an existing RFE upstream or in Red Hat Bugzilla? Yes, https://github.com/openshift/origin/pull/14505 (Merged) 10. List any affected packages or components. router
Allow specifying haproxy SSL Cipher list #14505
@Phil Cameron this bug already fixed some days before and was merged in 3.6. could you help move to 'ON_QA' and I will verified it. thanks.
This work was originally done implementing a Trello card. I found the bug and tied it to this work.
verified this bug on openshift v3.6.136 steps: 1. set the env for router ROUTER_CIPHERS={modern,old,intermediate}, eg oc env dc router ROUTER_CIPHERS=modern 2. Create ppd, service,edge/reencrypt route 3. Check the route is using the special cipher. curl https://$route -v
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188