Description of problem: Only weak ciphers are available for etcd Version-Release number of selected component (if applicable): OpenShift 3.7 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The existing set of etcd ciphers are weak and pose a security vulnerability that raises alarms in common scanning tools (e.g. Nessus). OpenShift allows customers to disable weak ciphers using the following steps: https://access.redhat.com/solutions/3374601. However, strong ciphers are not available for etcd communication. Without the ability to use a set of strong ciphers that meet regulatory minimum requirements, and disable weak ciphers, deployment of OpenShift in regulatory-controlled environments will block on security violations.
There is a new build available with the feature to select ciphers. You can find it here: https://github.com/coreos/etcd/releases/tag/v3.2.22 Original PR: https://github.com/coreos/etcd/pull/9801
Sebastien -- Are there any updates on this?