+++ This bug was initially created as a clone of Bug #2139235 +++ Description of problem: HCO and SSP need to have ECDHE-ECDSA-AES128-GCM-SHA256 cipher enabled But Kubevirt needs ECDHE-RSA-AES128-GCM-SHA256 Not sure if it is by design, but personally I would think we need adhere to the same standard. Currently, we have to be sure that both of these ciphers are present, otherwise some components become non-responding Version-Release number of selected component (if applicable): 4.12 Actual results: CNV components use different ciphers Expected results: CNV components use the same cipher --- Additional comment from on 2022-11-02 12:14:15 UTC --- I'm guessing that the severity is "high". Rationale being we should err on the safe side.
@acardace The original bug https://bugzilla.redhat.com/show_bug.cgi?id=2139235 was fixed and verified. This is a duplicate IMO.
My bad, different target release
verify with build: CNV-v4.12.3-49 check all cnv components service ciphers( hco-webhook-service, kubevirt-operator-webhook, ssp-operator-service, virt-api) .... PORT STATE SERVICE 1443/tcp open ies-lm | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | compressors: | NULL | cipher preference: server .... move to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Virtualization 4.12.3 Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2023:3283
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days