Bug 1823852 - Port 22623 will negotiate down to TLS1.1 on master and bootstrap nodes.
Summary: Port 22623 will negotiate down to TLS1.1 on master and bootstrap nodes.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Machine Config Operator
Version: 4.3.0
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
: 4.5.0
Assignee: Antonio Murdaca
QA Contact: Michael Nguyen
URL:
Whiteboard:
Depends On:
Blocks: 1827539
TreeView+ depends on / blocked
 
Reported: 2020-04-14 15:50 UTC by Chad Scribner
Modified: 2023-10-06 19:39 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1827539 (view as bug list)
Environment:
Last Closed: 2020-07-13 17:27:24 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-config-operator pull 1649 0 None closed Bug 1823852: pkg/server: disable weak TLS versions 2020-06-23 10:01:48 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:27:47 UTC

Comment 9 Michael Nguyen 2020-04-29 17:07:58 UTC
Verified on 4.5.0-0.nightly-2020-04-28-045946.  openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -cipher $(openssl ciphers) -connect localhost:22623 only allows connections using TLS1.2 and above.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.5.0-0.nightly-2020-04-28-045946   True        False         130m    Cluster version is 4.5.0-0.nightly-2020-04-28-045946
$ oc get node
NAME                                         STATUS   ROLES    AGE    VERSION
ip-10-0-133-67.us-west-2.compute.internal    Ready    master   152m   v1.18.0-rc.1
ip-10-0-134-255.us-west-2.compute.internal   Ready    worker   142m   v1.18.0-rc.1
ip-10-0-154-202.us-west-2.compute.internal   Ready    worker   142m   v1.18.0-rc.1
ip-10-0-155-175.us-west-2.compute.internal   Ready    master   156m   v1.18.0-rc.1
ip-10-0-172-82.us-west-2.compute.internal    Ready    master   152m   v1.18.0-rc.1
ip-10-0-173-79.us-west-2.compute.internal    Ready    worker   142m   v1.18.0-rc.1
$ oc debug node/ip-10-0-133-67.us-west-2.compute.internal
Starting pod/ip-10-0-133-67us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# openssl ciphers
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-CCM:AES128-GCM-SHA256:AES128-CCM:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM:PSK-AES128-GCM-SHA256:PSK-AES128-CCM:PSK-AES256-CBC-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM:DHE-PSK-AES256-CBC-SHA:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA
sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -cipher $(openssl ciphers) -connect localhost:22623

Comment 11 errata-xmlrpc 2020-07-13 17:27:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.