Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1623646

Summary: etcd-3.2.22 weak ciphers enabled with no way of disabling
Product: OpenShift Container Platform Reporter: Brian J. Beaudoin <bbeaudoi>
Component: MasterAssignee: Michal Fojtik <mfojtik>
Status: CLOSED ERRATA QA Contact: ge liu <geliu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.10.0CC: aos-bugs, bbennett, cscribne, jokerman, knewcomer, mmccomas, xxia
Target Milestone: ---   
Target Release: 3.10.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-13 17:09:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian J. Beaudoin 2018-08-29 19:29:53 UTC 
Description of problem:

https://docs.openshift.com/container-platform/3.10/install_config/master_node_configuration.html#master-config-tls-cipher

The documentation suggests "Specifying TLS ciphers for etcd" is possible by adding configuration to the master-config.yaml. These options are not used for the etcd pod and weak ciphers are still enabled in etcd.

Modifying the pod to include `--cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` does not resolve the issue either. No matter how etcd is invoked, it appears go always initializes the list to the following:

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA
ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA

Version-Release number of selected component (if applicable):

[root@master-310-1 ~]# oc rsh master-etcd-master-310-1.openshifthappens.com 
sh-4.2# etcd --version
etcd Version: 3.2.22
Git SHA: 1674e68
Go Version: go1.9.2
Go OS/Arch: linux/amd64
sh-4.2# 

How reproducible:

Steps to Reproduce:

1. Add the documented configuration to the master-config.yaml limiting the cipher suite to the desired list on all of the masters.

servingInfo:
  ...
  minTLSVersion: VersionTLS12
  cipherSuites:
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

2. Restart the services per the documentation (or reboot the node)

3. Create a short script to test the services on port 8443 and 2379:

#!/usr/bin/bash
# test script for checking ciphers on a port
IFS=:
for cipher in $(openssl ciphers); do
  echo $ciddpher
  echo |\
    openssl s_client \
      -CAfile /etc/etcd/ca.crt \
      -tls1_2 -cipher $cipher \
      -connect master-310-1.openshifthappens.com:$1 2>/dev/null |\
        grep -v NONE
done|awk '/New/ {print $5}'

4. Check the supported ciphers.

[root@master-310-1 ~]# ./test 8443
ECDHE-RSA-AES128-GCM-SHA256

[root@master-310-1 ~]# ./test 2379
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA
ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA


Actual results:

The ciphers in https://github.com/etcd-io/etcd/issues/8320 specific to the issue are not disabled. These are ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA.


Expected results:

Only the whitelisted cipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, should be able to be specified or used. All other ciphers should be blocked as with the master API and console.

Additional info:

The OpenShift 3.10 documentation suggests that etcd ciper suites may be verified by using the following command to see that etcd only supports ECDHE-RSA-AES128-GCM-SHA256 and that ciphers not in the whitelist are not allowed.

openssl s_client -connect etcd1.example.com:2379

Looking into the issue more deeply, the DockerFile specifies a wrapper script to initialize the etcd environment as follows:

[root@master-310-1 ~]# oc rsh master-etcd-master-310-1.openshifthappens.com 
sh-4.2# grep CMD /root/buildinfo/Dockerfile-rhel7-etcd-3.2.22-9 
CMD ["/usr/bin/etcd-env.sh", "/usr/bin/etcd"]

The wrapper script does not export `ETCD_CIPHER_SUITES` and does not pass `--cipher-suites` on the command line. It merely does the following:

# Execute the commands passed to this script
exec "$@"

Updating the image so --cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 has no effect on the supported ciphers. Updating the image with an invalid cipher-suite results in an error (negative testing) so it is known the option is parsed.
Comment 3 Michal Fojtik 2018-08-30 08:41:40 UTC 
Moving to etcd team.
Comment 8 Brian J. Beaudoin 2018-09-04 14:27:56 UTC 
PR submitted by Vadim Rutkovsky addresses this issue:

https://github.com/openshift/openshift-ansible/pull/9883
Comment 9 Scott Dodson 2018-09-05 20:40:05 UTC 
I think this bug should be CLOSED NOTABUG. There's nothing preventing someone from disabling these ciphers in 3.9+ today though there's no out of the box installer configuration variable to affect that until the PR from comment 8 merges.
Comment 18 errata-xmlrpc 2018-12-13 17:09:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3750