Bug 1763639

ECDHE-RSA-AES256-SHA384 will be removed when we bump cluster-ingress-operator to get https://github.com/openshift/api/pull/476/commits/70056df332890a0c0a0da7804450f89a01793d9c.

We intentionally do not support TLS 1.0, so the behavior there is as intended, but perhaps we could document the restriction in the IngressController API specification.

https://github.com/openshift/api/commit/e0cb41738a209a5eed3298bfa9f189add4cadf65 adds back ECDHE-RSA-AES256-SHA384 and many other ciphers. The tls security profile api specifies the ECDHE-RSA-AES256-SHA384 cipher (https://github.com/openshift/api/blob/master/config/v1/types_tlssecurityprofile.go#L44 and https://github.com/openshift/api/blob/master/config/v1/types_tlssecurityprofile.go#L214) and so does the Mozilla reference https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility.

https://github.com/openshift/cluster-ingress-operator/pull/316 bumps openshift/api for ingress-operator to add back support for ECDHE-RSA-AES256-SHA384 and other ciphers that were removed.

Dane, should this one be moved to QE? The bug linkages may be incorrect.

The cipher suites appear to be correct as I compare to https://github.com/openshift/cluster-ingress-operator/blob/master/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go#L195-L227. However, minTLSVersion is not being set properly. Let me look into a fix.

Dan,

I pushed PR https://github.com/openshift/cluster-ingress-operator/pull/324 to fix this bug. It should be noted that openshift/api defines minTLSVersion as 1.0 for the Old profile. However, ingress does not support this version of TLS due to well known vulnerabilities. Therefore, ingress-operator sets minTLSVersion to 1.1 for the Old profile.

verified with 4.3.0-0.nightly-2019-11-07-172437 and issue has been fixed.

$ oc get ingresscontroller/default -n openshift-ingress-operator -o yaml
<---snip--->
spec:
  replicas: 2
  tlsSecurityProfile:
    type: Old
status:
  tlsProfile:
    ciphers:
    - TLS_AES_128_GCM_SHA256
    - TLS_AES_256_GCM_SHA384
    - TLS_CHACHA20_POLY1305_SHA256
    - ECDHE-ECDSA-AES128-GCM-SHA256
    - ECDHE-RSA-AES128-GCM-SHA256
    - ECDHE-ECDSA-AES256-GCM-SHA384
    - ECDHE-RSA-AES256-GCM-SHA384
    - ECDHE-ECDSA-CHACHA20-POLY1305
    - ECDHE-RSA-CHACHA20-POLY1305
    - DHE-RSA-AES128-GCM-SHA256
    - DHE-RSA-AES256-GCM-SHA384
    - DHE-RSA-CHACHA20-POLY1305
    - ECDHE-ECDSA-AES128-SHA256
    - ECDHE-RSA-AES128-SHA256
    - ECDHE-ECDSA-AES128-SHA
    - ECDHE-RSA-AES128-SHA
    - ECDHE-ECDSA-AES256-SHA384
    - ECDHE-RSA-AES256-SHA384
    - ECDHE-ECDSA-AES256-SHA
    - ECDHE-RSA-AES256-SHA
    - DHE-RSA-AES128-SHA256
    - DHE-RSA-AES256-SHA256
    - AES128-GCM-SHA256
    - AES256-GCM-SHA384
    - AES128-SHA256
    - AES256-SHA256
    - AES128-SHA
    - AES256-SHA
    - DES-CBC3-SHA
    minTLSVersion: VersionTLS11

$ oc get deployment -o yaml -n openshift-ingress
<---snip--->
          - name: ROUTER_CIPHERS
            value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
          - name: SSL_MIN_VERSION
            value: TLSv1.1

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062