Bug 1827540 - Port 22623 will negotiate down to TLS1.1 on master and bootstrap nodes.
Summary: Port 22623 will negotiate down to TLS1.1 on master and bootstrap nodes.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Machine Config Operator
Version: 4.3.0
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
: 4.3.z
Assignee: Antonio Murdaca
QA Contact: Michael Nguyen
URL:
Whiteboard:
Depends On: 1827539
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-24 07:01 UTC by Antonio Murdaca
Modified: 2020-06-17 20:28 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1827539
Environment:
Last Closed: 2020-06-17 20:27:11 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-config-operator pull 1681 0 None closed [release-4.3] Bug 1827540: pkg/server: disable weak TLS versions 2020-06-15 10:34:53 UTC
Red Hat Product Errata RHBA-2020:2436 0 None None None 2020-06-17 20:28:16 UTC

Comment 1 Antonio Murdaca 2020-05-07 20:20:26 UTC
Still waiting on the 4.4 backport. Then this.

Comment 5 Micah Abbott 2020-06-09 15:28:03 UTC
Verified with 4.3.0-0.nightly-2020-06-08-205315

1.  Installed a cluster with 4.3.24 and checked existing behavior; TLS 1.1 connections are accepted.

*NOTE*: 4.3 uses golang 1.12 which has TLS 1.3 support disabled by default, so the TLS 1.3 connections fail

```
$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS                                                                                  
version   4.3.24    True        False         65s     Cluster version is 4.3.24                                      

$ oc get nodes                                       
NAME                                         STATUS   ROLES    AGE   VERSION                                    
ip-10-0-128-75.us-west-1.compute.internal    Ready    master   15m   v1.16.2+18cfcc9  
ip-10-0-132-230.us-west-1.compute.internal   Ready    worker   10m   v1.16.2+18cfcc9          
ip-10-0-138-111.us-west-1.compute.internal   Ready    worker   10m   v1.16.2+18cfcc9                                                          
ip-10-0-138-178.us-west-1.compute.internal   Ready    master   15m   v1.16.2+18cfcc9                                
ip-10-0-149-199.us-west-1.compute.internal   Ready    master   15m   v1.16.2+18cfcc9  
ip-10-0-157-151.us-west-1.compute.internal   Ready    worker   10m   v1.16.2+18cfcc9                                                          

$ oc debug node/ip-10-0-128-75.us-west-1.compute.internal                         
Starting pod/ip-10-0-128-75us-west-1computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.128.75            
If you don't see a command prompt, try pressing enter.                       
sh-4.2# chroot /host                                                                                      
sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_3 -quiet -connect localhost:22623
139708114376512:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70
sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_2 -quiet -connect localhost:22623
Can't use SSL_get_servername            
depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com                                            
verify error:num=20:unable to get local issuer certificate         
verify return:1                     
depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com                                       
verify error:num=21:unable to verify the first certificate                      
verify return:1                                                                    
^C                                                                                                                                            
sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_1 -quiet -connect localhost:22623  
Can't use SSL_get_servername                                             
depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com                      
verify error:num=20:unable to get local issuer certificate               
verify return:1                                                          
depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com    
verify error:num=21:unable to verify the first certificate          
verify return:1                               
^C                                                                                                                                            
```

2. Upgrade to 4.3.0-0.nightly-2020-06-08-205315 and verify that TLS 1.1 connections are disallowed.


```
$ oc adm upgrade --allow-explicit-upgrade=true --force=true --to-image=registry.svc.ci.openshift.org/ocp/release:4.3.0-0.nightly-2020-06-08-205315

$ oc get clusterversion                                                            
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS                                                     
version   4.3.0-0.nightly-2020-06-08-205315   True        False         5m31s   Cluster version is 4.3.0-0.nightly-2020-06-08-205315

$ oc get nodes
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-128-75.us-west-1.compute.internal    Ready    master   72m   v1.16.2+18cfcc9
ip-10-0-132-230.us-west-1.compute.internal   Ready    worker   66m   v1.16.2+18cfcc9
ip-10-0-138-111.us-west-1.compute.internal   Ready    worker   66m   v1.16.2+18cfcc9
ip-10-0-138-178.us-west-1.compute.internal   Ready    master   72m   v1.16.2+18cfcc9
ip-10-0-149-199.us-west-1.compute.internal   Ready    master   72m   v1.16.2+18cfcc9
ip-10-0-157-151.us-west-1.compute.internal   Ready    worker   66m   v1.16.2+18cfcc9

$ oc debug node/ip-10-0-128-75.us-west-1.compute.internal                          
Starting pod/ip-10-0-128-75us-west-1computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.128.75
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_3 -quiet -connect localhost:22623
140406581020480:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70
sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_2 -quiet -connect localhost:22623
Can't use SSL_get_servername
depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = api-int.ci-ln-884ghn2-d5d6b.origin-ci-int-aws.dev.rhcloud.com
verify error:num=21:unable to verify the first certificate
verify return:1
^C
sh-4.4# openssl s_client -CAfile /etc/kubernetes/static-pod-resources/etcd-member/ca.crt -tls1_1 -quiet -connect localhost:22623
140670424561472:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70
```

Comment 7 errata-xmlrpc 2020-06-17 20:27:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2436


Note You need to log in before you can comment on or make changes to this bug.