Created attachment 1789694 [details] Results from sslscan Created attachment 1789694 [details] Results from sslscan Description of problem: This component is using weak ciphers when scanned. Version-Release number of selected component (if applicable): 4.8.0-fc.7 How reproducible: Utilized sslscan binary provided by https://github.com/rbsec/sslscan to scan endpoint. This is accomplished on one of the hosts with internal SDN access. Steps to Reproduce: 1. oc debug node/node.name 2. chroot /host 3. toolbox 4. yum install git zlib-devel make gcc -y 5. git clone https://github.com/rbsec/sslscan 6. cd sslscan 7. make static 8. ./sslscan (All openshift-monitoring operator service endpoints) Actual results: Endpoints utilize weak ciphers Expected results: Only strong ciphers are presented for use Additional info: Please review the attached excel spreadsheet for the actual ciphers returned and their stong/weak status. Green is strong Yellow is weak.
Created attachment 1789796 [details] serviceMonitor/openshift-monitoring/kubelet/3
Created attachment 1789797 [details] serviceMonitor/openshift-monitoring/etcd/0
for other openshift-monitoring endpoints, only serviceMonitor/openshift-monitoring/prometheus-adapter/0 has issue, see from picture "scrapePool": "serviceMonitor/openshift-monitoring/prometheus-adapter/0", "scrapeUrl": "https://10.131.0.11:6443/metrics", "health": "up" "scrapePool": "serviceMonitor/openshift-monitoring/prometheus-adapter/0", "scrapeUrl": "https://10.128.2.8:6443/metrics", "health": "up"
Created attachment 1789798 [details] serviceMonitor/openshift-monitoring/prometheus-adapter/0
Thanks Junqi. prometheus-adapter falls under our responsibility but not kubelet and etcd.
tested with 4.9.0-0.nightly-2021-06-22-193627, no issue with prometheus-adapter
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759