Bug 1763639 - ciphers and minTLSVersion are not correct when setting tlsSecurityProfile to Old
Summary: ciphers and minTLSVersion are not correct when setting tlsSecurityProfile to Old
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.3.0
Assignee: Daneyon Hansen
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-21 08:28 UTC by Hongan Li
Modified: 2022-08-04 22:24 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-23 11:08:26 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift api pull 488 0 'None' closed operator/ingress: Only TLS 1.1 or 1.2 can be used 2021-01-14 09:48:20 UTC
Github openshift cluster-ingress-operator pull 324 0 'None' closed Bug 1763639: Fixes minTLSVersion for Old profile 2021-01-14 09:48:20 UTC
Red Hat Product Errata RHBA-2020:0062 0 None None None 2020-01-23 11:08:56 UTC

Description Hongan Li 2019-10-21 08:28:33 UTC
Description of problem:
ciphers and minTLSVersion are not correct when setting tlsSecurityProfile to Old

Version-Release number of selected component (if applicable):
4.3.0-0.nightly-2019-10-20-140322

How reproducible:
100%

Steps to Reproduce:
1. oc create -f ingresscontroller-tlspolicy.yaml 
spec:
  defaultCertificate:
    name: router-certs-default
  domain: tlspolicy.qe-hongli322.qe.devcluster.openshift.com
  replicas: 1
  tlsSecurityProfile:
    type: Old

Actual results:
$ oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io tlspolicy -o yaml

  tlsSecurityProfile:
    type: Old
status:
  tlsProfile:
    ciphers:
    - TLS_AES_128_GCM_SHA256
    - TLS_AES_256_GCM_SHA384
    - TLS_CHACHA20_POLY1305_SHA256
    - ECDHE-ECDSA-AES128-GCM-SHA256
    - ECDHE-RSA-AES128-GCM-SHA256
    - ECDHE-ECDSA-AES256-GCM-SHA384
    - ECDHE-RSA-AES256-GCM-SHA384
    - ECDHE-ECDSA-CHACHA20-POLY1305
    - ECDHE-RSA-CHACHA20-POLY1305
    - ECDHE-ECDSA-AES128-SHA256
    - ECDHE-RSA-AES128-SHA256
    - ECDHE-ECDSA-AES128-SHA
    - ECDHE-RSA-AES128-SHA
    - ECDHE-RSA-AES256-SHA384
    - ECDHE-ECDSA-AES256-SHA
    - ECDHE-RSA-AES256-SHA
    - AES128-GCM-SHA256
    - AES256-GCM-SHA384
    - AES128-SHA256
    - AES128-SHA
    - AES256-SHA
    - DES-CBC3-SHA
    minTLSVersion: VersionTLSv12

Expected results:
see: https://github.com/openshift/api/blob/master/config/v1/types_tlssecurityprofile.go#L184

ECDHE-RSA-AES256-SHA384 should be removed from ciphers and minTLSVersion should be VersionTLS10

Additional info:

Comment 1 Miciah Dashiel Butler Masters 2019-10-22 20:40:11 UTC
ECDHE-RSA-AES256-SHA384 will be removed when we bump cluster-ingress-operator to get https://github.com/openshift/api/pull/476/commits/70056df332890a0c0a0da7804450f89a01793d9c.

We intentionally do not support TLS 1.0, so the behavior there is as intended, but perhaps we could document the restriction in the IngressController API specification.

Comment 3 Daneyon Hansen 2019-10-29 16:21:29 UTC
https://github.com/openshift/cluster-ingress-operator/pull/316 bumps openshift/api for ingress-operator to add back support for ECDHE-RSA-AES256-SHA384 and other ciphers that were removed.

Comment 4 Dan Mace 2019-11-01 00:04:32 UTC
Dane, should this one be moved to QE? The bug linkages may be incorrect.

Comment 5 Daneyon Hansen 2019-11-06 21:12:42 UTC
The cipher suites appear to be correct as I compare to https://github.com/openshift/cluster-ingress-operator/blob/master/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go#L195-L227. However, minTLSVersion is not being set properly. Let me look into a fix.

Comment 6 Daneyon Hansen 2019-11-07 05:16:51 UTC
Dan,

I pushed PR https://github.com/openshift/cluster-ingress-operator/pull/324 to fix this bug. It should be noted that openshift/api defines minTLSVersion as 1.0 for the Old profile. However, ingress does not support this version of TLS due to well known vulnerabilities. Therefore, ingress-operator sets minTLSVersion to 1.1 for the Old profile.

Comment 8 Hongan Li 2019-11-08 10:02:27 UTC
verified with 4.3.0-0.nightly-2019-11-07-172437 and issue has been fixed.

$ oc get ingresscontroller/default -n openshift-ingress-operator -o yaml
<---snip--->
spec:
  replicas: 2
  tlsSecurityProfile:
    type: Old
status:
  tlsProfile:
    ciphers:
    - TLS_AES_128_GCM_SHA256
    - TLS_AES_256_GCM_SHA384
    - TLS_CHACHA20_POLY1305_SHA256
    - ECDHE-ECDSA-AES128-GCM-SHA256
    - ECDHE-RSA-AES128-GCM-SHA256
    - ECDHE-ECDSA-AES256-GCM-SHA384
    - ECDHE-RSA-AES256-GCM-SHA384
    - ECDHE-ECDSA-CHACHA20-POLY1305
    - ECDHE-RSA-CHACHA20-POLY1305
    - DHE-RSA-AES128-GCM-SHA256
    - DHE-RSA-AES256-GCM-SHA384
    - DHE-RSA-CHACHA20-POLY1305
    - ECDHE-ECDSA-AES128-SHA256
    - ECDHE-RSA-AES128-SHA256
    - ECDHE-ECDSA-AES128-SHA
    - ECDHE-RSA-AES128-SHA
    - ECDHE-ECDSA-AES256-SHA384
    - ECDHE-RSA-AES256-SHA384
    - ECDHE-ECDSA-AES256-SHA
    - ECDHE-RSA-AES256-SHA
    - DHE-RSA-AES128-SHA256
    - DHE-RSA-AES256-SHA256
    - AES128-GCM-SHA256
    - AES256-GCM-SHA384
    - AES128-SHA256
    - AES256-SHA256
    - AES128-SHA
    - AES256-SHA
    - DES-CBC3-SHA
    minTLSVersion: VersionTLS11

$ oc get deployment -o yaml -n openshift-ingress
<---snip--->
          - name: ROUTER_CIPHERS
            value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
          - name: SSL_MIN_VERSION
            value: TLSv1.1

Comment 10 errata-xmlrpc 2020-01-23 11:08:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062


Note You need to log in before you can comment on or make changes to this bug.