1623646 – etcd-3.2.22 weak ciphers enabled with no way of disabling

Bug 1623646 - etcd-3.2.22 weak ciphers enabled with no way of disabling

Summary: etcd-3.2.22 weak ciphers enabled with no way of disabling

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Master
Sub Component:
Version:	3.10.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	3.10.z
Assignee:	Michal Fojtik
QA Contact:	ge liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-29 19:29 UTC by Brian J. Beaudoin
Modified:	2021-12-10 17:13 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-12-13 17:09:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3750	0	None	None	None	2018-12-13 17:09:14 UTC

Description Brian J. Beaudoin 2018-08-29 19:29:53 UTC

Description of problem:

https://docs.openshift.com/container-platform/3.10/install_config/master_node_configuration.html#master-config-tls-cipher

The documentation suggests "Specifying TLS ciphers for etcd" is possible by adding configuration to the master-config.yaml. These options are not used for the etcd pod and weak ciphers are still enabled in etcd.

Modifying the pod to include `--cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` does not resolve the issue either. No matter how etcd is invoked, it appears go always initializes the list to the following:

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA
ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA

Version-Release number of selected component (if applicable):

[root@master-310-1 ~]# oc rsh master-etcd-master-310-1.openshifthappens.com
sh-4.2# etcd --version
etcd Version: 3.2.22
Git SHA: 1674e68
Go Version: go1.9.2
Go OS/Arch: linux/amd64
sh-4.2#

How reproducible:

Steps to Reproduce:

1. Add the documented configuration to the master-config.yaml limiting the cipher suite to the desired list on all of the masters.

servingInfo:
...
minTLSVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

2. Restart the services per the documentation (or reboot the node)

3. Create a short script to test the services on port 8443 and 2379:

#!/usr/bin/bash
# test script for checking ciphers on a port
IFS=:
for cipher in $(openssl ciphers); do
echo $ciddpher
echo |\
openssl s_client \
-CAfile /etc/etcd/ca.crt \
-tls1_2 -cipher $cipher \
-connect master-310-1.openshifthappens.com:$1 2>/dev/null |\
grep -v NONE
done|awk '/New/ {print $5}'

4. Check the supported ciphers.

[root@master-310-1 ~]# ./test 8443
ECDHE-RSA-AES128-GCM-SHA256

[root@master-310-1 ~]# ./test 2379
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA
ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA

Actual results:

The ciphers in https://github.com/etcd-io/etcd/issues/8320 specific to the issue are not disabled. These are ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA.

Expected results:

Only the whitelisted cipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, should be able to be specified or used. All other ciphers should be blocked as with the master API and console.

Additional info:

The OpenShift 3.10 documentation suggests that etcd ciper suites may be verified by using the following command to see that etcd only supports ECDHE-RSA-AES128-GCM-SHA256 and that ciphers not in the whitelist are not allowed.

openssl s_client -connect etcd1.example.com:2379

Looking into the issue more deeply, the DockerFile specifies a wrapper script to initialize the etcd environment as follows:

[root@master-310-1 ~]# oc rsh master-etcd-master-310-1.openshifthappens.com
sh-4.2# grep CMD /root/buildinfo/Dockerfile-rhel7-etcd-3.2.22-9
CMD ["/usr/bin/etcd-env.sh", "/usr/bin/etcd"]

The wrapper script does not export `ETCD_CIPHER_SUITES` and does not pass `--cipher-suites` on the command line. It merely does the following:

# Execute the commands passed to this script
exec "$@"

Updating the image so --cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 has no effect on the supported ciphers. Updating the image with an invalid cipher-suite results in an error (negative testing) so it is known the option is parsed.

Comment 3 Michal Fojtik 2018-08-30 08:41:40 UTC

Moving to etcd team.

Comment 8 Brian J. Beaudoin 2018-09-04 14:27:56 UTC

PR submitted by Vadim Rutkovsky addresses this issue:

https://github.com/openshift/openshift-ansible/pull/9883

Comment 9 Scott Dodson 2018-09-05 20:40:05 UTC

I think this bug should be CLOSED NOTABUG. There's nothing preventing someone from disabling these ciphers in 3.9+ today though there's no out of the box installer configuration variable to affect that until the PR from comment 8 merges.

Comment 18 errata-xmlrpc 2018-12-13 17:09:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3750

Note You need to log in before you can comment on or make changes to this bug.