Bug 1571401 - [RFE] Ability to disable TLS versions via router variables.
Summary: [RFE] Ability to disable TLS versions via router variables.
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.9.0
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
: ---
Assignee: Ben Bennett
QA Contact: Xiaoli Tian
URL:
Whiteboard:
: 1570002 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-24 17:06 UTC by Ryan Howe
Modified: 2020-02-14 15:29 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-14 15:29:30 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2989001 0 Configure None Change the OpenShift router's SSL Protocol and Supported Cipher list 2019-04-18 22:34:13 UTC

Description Ryan Howe 2018-04-24 17:06:26 UTC
Description of problem:

Disable tlsv1.0 and/or tlsv1.1 via Router variable versus needing to customize the router template. 

https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L52

Set this line if disabling tls versions. 

   ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11


Maybe the change would look like this: 

3.7+ 
  ssl-default-bind-options no-sslv3 {{- if isTrue (env "DISABLE_TLSv10") no-tlsv10}} {{- end }} {{- if isTrue (env "DISABLE_TLSv11") no-tlsv11}} {{- end }}

3.6 or less
 ssl-default-bind-options no-sslv3 {{- if matchPattern "true|TRUE"  (env "DISABLE_TLSv10" "") }} no-tlsv10 {{- end }} {{- if  matchPattern "true|TRUE" (env "DISABLE_TLSv11" "") }} no-tlsv11 {{- end }}

Comment 2 Marc Curry 2019-04-18 22:34:14 UTC
*** Bug 1570002 has been marked as a duplicate of this bug. ***

Comment 4 Rory Thrasher 2019-06-11 21:17:04 UTC
Red Hat is moving OpenShift feature requests to a new JIRA RFE system. This bz (RFE) has been identified as a feature request which is still being evaluated and has been moved.

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.

https://.jira.coreos.com/browse/RFE-167


Note You need to log in before you can comment on or make changes to this bug.