Bug 2139222 - tlsSecurityProfile `Old` does not work on FIPS enabled cluster
Summary: tlsSecurityProfile `Old` does not work on FIPS enabled cluster
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Virtualization
Version: 4.12.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.13.0
Assignee: sgott
QA Contact: Kedar Bidarkar
URL:
Whiteboard:
: 2161719 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-11-01 21:41 UTC by Denys Shchedrivyi
Modified: 2023-01-25 13:23 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-25 13:23:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CNV-22160 0 None None None 2022-11-01 21:50:08 UTC

Description Denys Shchedrivyi 2022-11-01 21:41:28 UTC 
Description of problem:
 On a cluster with FIPS mode enabled  it is not possible to connect to virt-api with old TLS versions (v1.0 and v1.1). 

 I can set `tlsSecurityProfile: type: Old` and the configuration is successfully propagated to the Kubevirt: 


$ oc get kubevirt kubevirt-kubevirt-hyperconverged -n openshift-cnv -o json | jq .spec.configuration.tlsConfiguration
{
  "ciphers": [
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
    "TLS_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_RSA_WITH_AES_128_CBC_SHA256",
    "TLS_RSA_WITH_AES_128_CBC_SHA",
    "TLS_RSA_WITH_AES_256_CBC_SHA",
    "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
  ],
  "minTLSVersion": "VersionTLS10"
}


 But virt-api still allows only TLS v1.2:

$ nmap --script ssl-enum-ciphers -p 1443 127.0.0.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-01 17:31 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000078s latency).

PORT     STATE SERVICE
1443/tcp open  ies-lm
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 13.32 seconds





Version-Release number of selected component (if applicable):
4.12 cluster with FIPS mode enabled


Actual results:
 Only TLS v1.2 allowed even when "minTLSVersion" set to lower version

Expected results:
 Allow access with specified ciphers and `minTLSVersion` parameters

Additional info:
 If it is expected behavior for FIPS cluster - probably need to have a note in docs
Comment 2 SATHEESARAN 2023-01-23 10:55:28 UTC 
*** Bug 2161719 has been marked as a duplicate of this bug. ***
Comment 3 Kedar Bidarkar 2023-01-25 13:23:24 UTC 
FIPS requires, tLS version 1.2, which totally fine and expected behavior.

Will be closing this bug.
Note You need to log in before you can comment on or make changes to this bug.