Description of problem: -- patch apiserver with ciphers ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"] $ oc patch apiserver --type=json cluster -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS12", ciphers: ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]}, type: "Custom"} }]' The APIServer "cluster" is invalid: * spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string{"DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"}: no supported cipher suite found * spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string{"DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"}: http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256) -- patch hco with ciphers ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"] $ oc patch hco -n openshift-cnv --type=json kubevirt-hyperconverged -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS12", ciphers: ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]}, type: "Custom"} }]' hyperconverged.hco.kubevirt.io/kubevirt-hyperconverged patched cipher ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256 is mandatory for now for apiserver. Version-Release number of selected component (if applicable): 4.12 with FIPS How reproducible: always Steps to Reproduce: 1.try to patch apiserver and hco 2. 3. Actual results: supported ciphers should be in sync. Here we see some of the ciphers which are not accepted by apiserver while they are accepted by hco Expected results: common ciphers should be supported by all Additional info: $ oc patch apiserver --type=json cluster -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"]}, type: "Custom"} }]' The APIServer "cluster" is invalid: * spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string{"TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"}: no supported cipher suite found * spec.tlsSecurityProfile.custom.minTLSVersion: Unsupported value: "VersionTLS13": supported values: "VersionTLS10", "VersionTLS11", "VersionTLS12" --> No support for TLS 1.3 at the moment
Test Environment : $ oc get csv -n openshift-cnv NAME DISPLAY VERSION REPLACES PHASE kubevirt-hyperconverged-operator.v4.12.0 OpenShift Virtualization 4.12.0 kubevirt-hyperconverged-operator.v4.11.0 Succeeded Test Case 1: Patch when custom and minTLSVersion: "VersionTLS12" 1. Patch apiserver with custom ciphers $ oc patch apiserver --type=json cluster -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS12", ciphers: ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]}, type: "Custom"} }]' The APIServer "cluster" is invalid: * spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string{"DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"}: no supported cipher suite found * spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string{"DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"}: http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256) 2. Patch hco with custom ciphers $ oc patch hco -n openshift-cnv --type=json kubevirt-hyperconverged -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS11", ciphers: ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]}, type: "Custom"} }]' Error from server (http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256)): admission webhook "validate-hco.kubevirt.io" denied the request: http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256) Test Case 2: Patch when custom and minTLSVersion: "VersionTLS13" 1. Patch apiserver with custom ciphers $ oc patch apiserver --type=json cluster -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"]}, type: "Custom"} }]' The APIServer "cluster" is invalid: * spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string{"TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"}: no supported cipher suite found * spec.tlsSecurityProfile.custom.minTLSVersion: Unsupported value: "VersionTLS13": supported values: "VersionTLS10", "VersionTLS11", "VersionTLS12" 2. Patch hco with custom ciphers $ oc patch hco -n openshift-cnv --type=json kubevirt-hyperconverged -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"]}, type: "Custom"} }]' hyperconverged.hco.kubevirt.io/kubevirt-hyperconverged patched $ oc get hco kubevirt-hyperconverged -n openshift-cnv -ojsonpath={.spec.tlsSecurityProfile} {"custom":{"ciphers":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384"],"minTLSVersion":"VersionTLS13"},"type":"Custom"} Test Result: =========== Test Case 1 works as expected but with test case 2 i see a behavior differences between apiserver and hco. Additional info : ================ If i specify below ciphers : $ oc patch hco -n openshift-cnv --type=json kubevirt-hyperconverged -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["DHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384"]}, type: "Custom"} }]' The request is invalid: spec.configuration.tlsConfiguration.ciphers: You cannot specify ciphers when spec.configuration.tlsConfiguration.minTLSVersion is empty or VersionTLS13 -- HCO failed to patch as TLS version is 1.3 but in test case 2 , we were able to patch with some set of ciphers.
I see a behavior issue when it comes to custom TLS 1.3 between apiserver and hco.
This is expected, see https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites OpenSSL has implemented support for five TLSv1.3 ciphersuites as follows: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_SHA256 so $ oc patch hco -n openshift-cnv --type=json kubevirt-hyperconverged -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"]}, type: "Custom"} }]' hyperconverged.hco.kubevirt.io/kubevirt-hyperconverged patched is indeed valid while $ oc patch hco -n openshift-cnv --type=json kubevirt-hyperconverged -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["DHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384"]}, type: "Custom"} }]' The request is invalid: spec.configuration.tlsConfiguration.ciphers: You cannot specify ciphers when spec.configuration.tlsConfiguration.minTLSVersion is empty or VersionTLS13 is not. Maybe the text of the error message is misleading or at least confusing.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:0408