1778856 – No way to disable TLS v1.1

Bug 1778856 - No way to disable TLS v1.1

Summary: No way to disable TLS v1.1

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Dan Mace
QA Contact:	Hongan Li
Docs Contact:
URL:
Whiteboard:
Depends On:	1747461
Blocks:
TreeView+	depends on / blocked

Reported:	2019-12-02 16:40 UTC by Rich Megginson
Modified:	2022-08-04 22:24 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1778250
Environment:
Last Closed:	2020-03-20 00:12:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift origin pull 24400	0	None	closed	Bug 1778856: Add MIN/MAX variables to SSL/TLS versions	2020-09-22 07:30:38 UTC
Red Hat Product Errata	RHBA-2020:0793	0	None	None	None	2020-03-20 00:12:54 UTC

Comment 1 Rich Megginson 2019-12-02 16:44:14 UTC

https://docs.openshift.com/container-platform/3.11/architecture/networking/routes.html#env-variables the way to configure TLS settings is via router environment variables: https://docs.openshift.com/container-platform/3.11/architecture/networking/routes.html#env-variables

For TLS, I believe the salient one is this:

ROUTER_CIPHERS  intermediate  Specify the set of ciphers supported by bind

Where "intermediate" means https://wiki.mozilla.org/Security/Server_Side_TLS

"Intermediate compatibility (recommended)For services that don't need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.

    Cipher suites (TLS 1.3): TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    Cipher suites (TLS 1.2): ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    Protocols: TLS 1.2, TLS 1.3
    TLS curves: X25519, prime256v1, secp384r1
    Certificate type: ECDSA (P-256) (recommended), or RSA (2048 bits)
    DH parameter size: 2048 (ffdhe2048, RFC 7919)
    HSTS: max-age=63072000 (two years)
    Maximum certificate lifespan: 90 days (recommended) to 2 years
    Cipher preference: client chooses

So, according to this, port 443 should only respond to TLS 1.2 or later.


However, I am still able to use tls 1.1:

> openssl s_client -connect kibana.origin311.logging.test:443 -tls1_1

CONNECTED(00000003)
depth=1 CN = openshift-signer@1561772088
...
New, TLSv1.0, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES128-SHA

Comment 2 Dan Mace 2019-12-03 13:50:43 UTC

Workaround is to use a custom router template.

Comment 3 Rich Megginson 2019-12-03 15:47:44 UTC

(In reply to Dan Mace from comment #2)
> Workaround is to use a custom router template.

By this do you mean provide an explicit list of supported and/or unsupported cipher suites in the ROUTER_CIPHERS env. var.?

Comment 4 Dan Mace 2019-12-03 17:28:19 UTC

(In reply to Rich Megginson from comment #3)
> (In reply to Dan Mace from comment #2)
> > Workaround is to use a custom router template.
> 
> By this do you mean provide an explicit list of supported and/or unsupported
> cipher suites in the ROUTER_CIPHERS env. var.?

Unfortunately, there is no such environment variable configuration for TLS in 3.11. Support was introduced in https://github.com/openshift/router/pull/35 to enable the v4 TLS API. What I mean is that in 3.11, the user can specify a custom haproxy config template and configure the min/max version manually, e.g.

    ssl-default-bind-options ssl-min-ver TLSv1.2

Comment 5 Shirly Radco 2020-01-08 11:26:19 UTC

Can you please provide documentation on how to achieve this for 3.11?

Comment 8 Hongan Li 2020-03-12 02:37:13 UTC

Verified with atomic-openshift-3.11.187-1.git.0.be0cfd4.el7 and the issue has been fixed.

# oc set env dc/router SSL_MIN_VERSION=TLSv1.2 SSL_MAX_VERSION=TLSv1.3
# oc exec router-7-kb5vz -- grep ssl-min-ver haproxy.config
  ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3

# curl https://console.apps.0312-icn.qe.rhcloud.com -k -I --tlsv1.1
curl: (35) Peer reports incompatible or unsupported protocol version.
# curl https://console.apps.0312-icn.qe.rhcloud.com -k -I --tlsv1.2
HTTP/1.1 200 OK

Comment 10 errata-xmlrpc 2020-03-20 00:12:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0793

Note You need to log in before you can comment on or make changes to this bug.