Description of problem: ciphers and minTLSVersion are not correct when setting tlsSecurityProfile to Old Version-Release number of selected component (if applicable): 4.3.0-0.nightly-2019-10-20-140322 How reproducible: 100% Steps to Reproduce: 1. oc create -f ingresscontroller-tlspolicy.yaml spec: defaultCertificate: name: router-certs-default domain: tlspolicy.qe-hongli322.qe.devcluster.openshift.com replicas: 1 tlsSecurityProfile: type: Old Actual results: $ oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io tlspolicy -o yaml tlsSecurityProfile: type: Old status: tlsProfile: ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA minTLSVersion: VersionTLSv12 Expected results: see: https://github.com/openshift/api/blob/master/config/v1/types_tlssecurityprofile.go#L184 ECDHE-RSA-AES256-SHA384 should be removed from ciphers and minTLSVersion should be VersionTLS10 Additional info:
ECDHE-RSA-AES256-SHA384 will be removed when we bump cluster-ingress-operator to get https://github.com/openshift/api/pull/476/commits/70056df332890a0c0a0da7804450f89a01793d9c. We intentionally do not support TLS 1.0, so the behavior there is as intended, but perhaps we could document the restriction in the IngressController API specification.
https://github.com/openshift/api/commit/e0cb41738a209a5eed3298bfa9f189add4cadf65 adds back ECDHE-RSA-AES256-SHA384 and many other ciphers. The tls security profile api specifies the ECDHE-RSA-AES256-SHA384 cipher (https://github.com/openshift/api/blob/master/config/v1/types_tlssecurityprofile.go#L44 and https://github.com/openshift/api/blob/master/config/v1/types_tlssecurityprofile.go#L214) and so does the Mozilla reference https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility.
https://github.com/openshift/cluster-ingress-operator/pull/316 bumps openshift/api for ingress-operator to add back support for ECDHE-RSA-AES256-SHA384 and other ciphers that were removed.
Dane, should this one be moved to QE? The bug linkages may be incorrect.
The cipher suites appear to be correct as I compare to https://github.com/openshift/cluster-ingress-operator/blob/master/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go#L195-L227. However, minTLSVersion is not being set properly. Let me look into a fix.
Dan, I pushed PR https://github.com/openshift/cluster-ingress-operator/pull/324 to fix this bug. It should be noted that openshift/api defines minTLSVersion as 1.0 for the Old profile. However, ingress does not support this version of TLS due to well known vulnerabilities. Therefore, ingress-operator sets minTLSVersion to 1.1 for the Old profile.
verified with 4.3.0-0.nightly-2019-11-07-172437 and issue has been fixed. $ oc get ingresscontroller/default -n openshift-ingress-operator -o yaml <---snip---> spec: replicas: 2 tlsSecurityProfile: type: Old status: tlsProfile: ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256 - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA minTLSVersion: VersionTLS11 $ oc get deployment -o yaml -n openshift-ingress <---snip---> - name: ROUTER_CIPHERS value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA - name: SSL_MIN_VERSION value: TLSv1.1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062