Description of problem: SSP logging at the moment show {"level":"info","ts":1664398497.9982593,"logger":"setup","msg":"Got Ciphers and tlsProfile:","ciphers: ":["DHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES128-GCM-SHA256"],"tlsProfile: ":"VersionTLS12"} It doesn't show from which source the ciphers are being enforced. In this case, i got the ciphers from APIServer and not from HCO as HCO doesn't have tlsSecurityProfile set. It will be good to know the source of getting ciphers and other details like TLS session based information. Example : [cnv-qe-jenkins@c01-gkcrypt26-xr7zz-executor ~]$ oc get apiserver cluster -ojsonpath={.spec.tlsSecurityProfile} {"custom":{"ciphers":["DHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES128-GCM-SHA256"],"minTLSVersion":"VersionTLS12 [cnv-qe-jenkins@c01-gkcrypt26-xr7zz-executor ~]$ oc get hco kubevirt-hyperconverged -ojsonpath={.spec.tlsSecurityProfile} [cnv-qe-jenkins@c01-gkcrypt26-xr7zz-executor ~]$ oc get ssp ssp-kubevirt-hyperconverged -ojsonpath={.spec.tlsSecurityProfile} {"custom":{"ciphers":["DHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES128-GCM-SHA256"],"minTLSVersion":"VersionTLS12"},"type":"Custom"} Version-Release number of selected component (if applicable): 4.12 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Logging Improvement needed Expected results: Logging Improvement to help users to get useful information at one place and easily accessible using must-gather Additional info:
Test Env: Deployed: OCP-4.12.0-rc.4 Deployed: CNV-v4.12.0-758 Test Cases: What works Test Case 1: ON SSP, set Modern tlsSecurityProfile: modern: {} type: Modern oc logs ssp-operator-56569f8cbd-nvj26 -n openshift-cnv| grep cipher {"level":"info","ts":1670788666.9830906,"logger":"setup tls options","msg":"Got Ciphers and tlsProfile:","ciphers: ":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256"],"tlsProfile: ":"VersionTLS13"} Test Case 2: On SSP, set Old But HCO points to modern $ oc logs ssp-operator-56569f8cbd-nvj26 -n openshift-cnv --follow=true| grep cipher {"level":"info","ts":1671105027.098432,"logger":"setup tls options","msg":"Got Ciphers and tlsProfile:","ciphers: ":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256","ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA","ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384","ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA","DHE-RSA-AES128-SHA256","DHE-RSA-AES256-SHA256","AES128-GCM-SHA256","AES256-GCM-SHA384","AES128-SHA256","AES256-SHA256","AES128-SHA","AES256-SHA","DES-CBC3-SHA"],"tlsProfile: ":"VersionTLS10"} ======> THis should be minTLSVersion {"level":"info","ts":1671105027.0985553,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"} {"level":"info","ts":1671105027.0985746,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"} {"level":"info","ts":1671105027.098589,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_RSA_WITH_AES_128_CBC_SHA256"} {"level":"info","ts":1671105027.0986006,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_RSA_WITH_3DES_EDE_CBC_SHA"} {"level":"info","ts":1671105032.0398319,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"} {"level":"info","ts":1671105032.0398426,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"} {"level":"info","ts":1671105032.039861,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_RSA_WITH_AES_128_CBC_SHA256"} {"level":"info","ts":1671105032.0398755,"logger":"setup.TLSSecurityProfile","msg":"Unsupported cipher name: ","Cipher Name":"TLS_RSA_WITH_3DES_EDE_CBC_SHA"} {"level":"info","ts":1671105032.0398805,"logger":"setup","msg":"Configured ciphers","ciphers":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,156,157,47,53]} =====> CAN BE MORE USER FRIENDLY Reverts back to modern. $ oc logs ssp-operator-56569f8cbd-nvj26 -n openshift-cnv| grep cipher {"level":"info","ts":1671104814.0942738,"logger":"setup tls options","msg":"Got Ciphers and tlsProfile:","ciphers: ":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256"],"tlsProfile: ":"VersionTLS13"} {"level":"info","ts":1671104819.0134308,"logger":"setup","msg":"Configured ciphers","ciphers":[]} What doesn't work 1. Cipher switch that happens and when ciphers are overwritten by apiserver or hco and reason for switch 2. Doesn't show handshake process logs for good/bad sessions
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:0408