Bug 1747461 - The router in OCP4 accepts TLS1.0 and TLS1.1 connections with no way to disable them [4.1 backport]
Summary: The router in OCP4 accepts TLS1.0 and TLS1.1 connections with no way to disab...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.1.z
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.1.z
Assignee: Dan Mace
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On: 1746467
Blocks: 1778856
TreeView+ depends on / blocked
 
Reported: 2019-08-30 13:31 UTC by Ben Bennett
Modified: 2020-03-05 16:10 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1746467
Environment:
Last Closed: 2019-09-25 07:27:53 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift router pull 35 None closed [release-4.1] Bug 1747461: Expose control of the tls settings via router ENV 2020-06-22 02:51:04 UTC
Red Hat Product Errata RHBA-2019:2820 None None None 2019-09-25 07:28:01 UTC

Comment 2 Hongan Li 2019-09-19 02:34:19 UTC
Verified with 4.1.0-0.nightly-2019-09-18-220022 and issue has been fixed.

$ openssl s_client -connect <web console route>:443 -tls1
CONNECTED(00000003)
139802301896512:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1535:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 187 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported

$ openssl s_client -connect <web console route>:443 -tls1_1
CONNECTED(00000003)
139675855472448:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1535:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 187 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported


Check haproxy.config:
  # Configure the TLS versions we support
  ssl-default-bind-options ssl-min-ver TLSv1.2

Comment 4 errata-xmlrpc 2019-09-25 07:27:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2820


Note You need to log in before you can comment on or make changes to this bug.