Bug 1465572 - [RFE] allow to set TLS cipher suite for the router
[RFE] allow to set TLS cipher suite for the router
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing (Show other bugs)
Unspecified Unspecified
unspecified Severity low
: ---
: 3.7.0
Assigned To: Phil Cameron
Depends On:
  Show dependency treegraph
Reported: 2017-06-27 12:25 EDT by Sergi Jimenez Romero
Modified: 2017-10-05 13:47 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: docs pr 4587 Reason: Result:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Origin (Github) 14505 None None None 2017-08-23 10:40 EDT

  None (edit)
Description Sergi Jimenez Romero 2017-06-27 12:25:55 EDT
3. What is the nature and description of the request?  

The aim is to be able to specify a cipher list on the HAProxy router.

4. Why does the customer need this? (List the business requirements here) 

For having an easier way to comply with their business security requirements.

5. How would the customer like to achieve this? (List the functional requirements here)  

Environment variable or annotations.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

Setting a cipher suite and checking whether router answers only to the ones listed.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  

Yes, https://github.com/openshift/origin/pull/14505 (Merged)

10. List any affected packages or components.
Comment 3 Phil Cameron 2017-07-10 14:25:52 EDT
Allow specifying haproxy SSL Cipher list #14505
Comment 4 zhaozhanqi 2017-07-10 21:11:52 EDT
@Phil Cameron

this bug already fixed some days before and was merged in 3.6. could you help move to 'ON_QA' and I will verified it. thanks.
Comment 5 Phil Cameron 2017-07-11 09:29:00 EDT
This work was originally done implementing a Trello card. I found the bug and tied it to this work.
Comment 6 zhaozhanqi 2017-07-11 22:27:17 EDT
verified this bug on openshift v3.6.136


1. set the env for router ROUTER_CIPHERS={modern,old,intermediate}, eg

   oc env dc router ROUTER_CIPHERS=modern

2. Create ppd, service,edge/reencrypt route
3. Check the route is using the special cipher.
   curl https://$route -v

Note You need to log in before you can comment on or make changes to this bug.