Still waiting on the 4.4 backport. Then this.
Verified with 4.3.0-0.nightly-2020-06-08-205315 1. Installed a cluster with 4.3.24 and checked existing behavior; TLS 1.1 connections are accepted. *NOTE*: 4.3 uses golang 1.12 which has TLS 1.3 support disabled by default, so the TLS 1.3 connections fail ``` $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.3.24 True False 65s Cluster version is 4.3.24 $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-128-75.us-west-1.compute.internal Ready master 15m v1.16.2+18cfcc9 ip-10-0-132-230.us-west-1.compute.internal Ready worker 10m v1.16.2+18cfcc9 ip-10-0-138-111.us-west-1.compute.internal Ready worker 10m v1.16.2+18cfcc9 ip-10-0-138-178.us-west-1.compute.internal Ready master 15m v1.16.2+18cfcc9 ip-10-0-149-199.us-west-1.compute.internal Ready master 15m v1.16.2+18cfcc9 ip-10-0-157-151.us-west-1.compute.internal Ready worker 10m v1.16.2+18cfcc9 $ oc debug node/ip-10-0-128-75.us-west-1.compute.internal Starting pod/ip-10-0-128-75us-west-1computeinternal-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.128.75 If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_3 -quiet -connect localhost:22623 139708114376512:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70 sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_2 -quiet -connect localhost:22623 Can't use SSL_get_servername depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com verify error:num=21:unable to verify the first certificate verify return:1 ^C sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_1 -quiet -connect localhost:22623 Can't use SSL_get_servername depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com verify error:num=21:unable to verify the first certificate verify return:1 ^C ``` 2. Upgrade to 4.3.0-0.nightly-2020-06-08-205315 and verify that TLS 1.1 connections are disallowed. ``` $ oc adm upgrade --allow-explicit-upgrade=true --force=true --to-image=registry.svc.ci.openshift.org/ocp/release:4.3.0-0.nightly-2020-06-08-205315 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.3.0-0.nightly-2020-06-08-205315 True False 5m31s Cluster version is 4.3.0-0.nightly-2020-06-08-205315 $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-128-75.us-west-1.compute.internal Ready master 72m v1.16.2+18cfcc9 ip-10-0-132-230.us-west-1.compute.internal Ready worker 66m v1.16.2+18cfcc9 ip-10-0-138-111.us-west-1.compute.internal Ready worker 66m v1.16.2+18cfcc9 ip-10-0-138-178.us-west-1.compute.internal Ready master 72m v1.16.2+18cfcc9 ip-10-0-149-199.us-west-1.compute.internal Ready master 72m v1.16.2+18cfcc9 ip-10-0-157-151.us-west-1.compute.internal Ready worker 66m v1.16.2+18cfcc9 $ oc debug node/ip-10-0-128-75.us-west-1.compute.internal Starting pod/ip-10-0-128-75us-west-1computeinternal-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.128.75 If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_3 -quiet -connect localhost:22623 140406581020480:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70 sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_2 -quiet -connect localhost:22623 Can't use SSL_get_servername depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com verify error:num=21:unable to verify the first certificate verify return:1 ^C sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_1 -quiet -connect localhost:22623 140670424561472:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70 ```
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2436