2242207 – Incorrect error message thrown by hco when incorrect ciphers for minTLSVersion

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Bug 2242207 - Incorrect error message thrown by hco when incorrect ciphers for minTLSVersion

Summary: Incorrect error message thrown by hco when incorrect ciphers for minTLSVersion

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	4.14.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	4.15.0
Assignee:	Simone Tiraboschi
QA Contact:	SATHEESARAN
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-10-04 23:25 UTC by Geetika Kapoor
Modified:	2024-02-19 07:29 UTC (History)
CC List:	3 users (show)
Fixed In Version:	hco-bundle-registry-container-v4.15.0.rhel9-1550
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-12-14 16:18:17 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	kubevirt hyperconverged-cluster-operator issues 2553	None	closed	When using TLS13 it should not be allowed to specify any ciphers	2023-10-24 14:19:53 UTC
Github	kubevirt hyperconverged-cluster-operator pull 2554	None	Merged	Be stricter validating custom TLSSecurityProfiles	2023-10-24 14:19:50 UTC
Github	kubevirt kubevirt pull 10584	None	open	Add clarity to cipher rejection message	2023-10-18 12:17:52 UTC
Red Hat Issue Tracker	CNV-33686	None	None	None	2023-12-14 16:18:17 UTC

Description Geetika Kapoor 2023-10-04 23:25:08 UTC

Description of problem:
Incorrect error message is thrown by hco when there cipher doesn't belong to same TLS version .

example :

oc patch hco kubevirt-hyperconverged -n openshift-cnv   --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256","ECDHE-RSA-AES128-SHA"]}, type: "Custom"} }]'
The request is invalid: spec.configuration.tlsConfiguration.ciphers: You cannot specify ciphers when spec.configuration.tlsConfiguration.minTLSVersion is empty or VersionTLS13


"ECDHE-RSA-AES128-SHA" belongs to TLS v1.2 and this cipher cannot be used as it conflicts with minTLSVersion which is set as TLS 1.3

Remove this lower cipher :

$ oc patch hco kubevirt-hyperconverged -n openshift-cnv   --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"]}, type: "Custom"} }]'
hyperconverged.hco.kubevirt.io/kubevirt-hyperconverged patched

So error message is misleading that we cannot specify ciphers, we cannot patched with lower ciphers based on minTLSVersion.


Version-Release number of selected component (if applicable):
4.14

How reproducible:
always 

Steps to Reproduce:
1. Use oc patch hco kubevirt-hyperconverged -n openshift-cnv   --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256","ECDHE-RSA-AES128-SHA"]}, type: "Custom"} }]'
2.
3.

Actual results:
Error message is misleading.

Expected results:


Additional info:

Comment 1 Simone Tiraboschi 2023-10-09 07:56:37 UTC

That error message comes from here:
https://github.com/kubevirt/kubevirt/blob/d30cc7dcdf0f7ebd85070cc2c320d3e93ac38da3/pkg/virt-operator/webhooks/kubevirt-update-admitter.go#L250

Moving to the virt-component for further investigation.

Comment 2 sgott 2023-10-18 13:00:52 UTC

On second thought, the error message is completely correct. If you specify any cipher at all, the admission webhook rejects the resource. Thus the message "you cannot specify ciphers" is actually the correct error message.

Comment 3 Felix Matouschek 2023-10-18 13:03:00 UTC

I would expect this command to fail too:

oc patch hco kubevirt-hyperconverged -n openshift-cnv   --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"]}, type: "Custom"} }]'

With VersionTLS13 you cannot set any ciphers at all.

Comment 4 SATHEESARAN 2023-11-23 18:51:20 UTC

Verified with CNV 4.15 ( Build v4.15.0.rhel9-1660 )

When trying to set HCO tlsSecurityProfile with 'custom' profile, with minTLSVersion as 'VersionTLS13'
and cipher suites, there is an meaningful error:
"custom ciphers cannot be selected when minTLSVersion is VersionTLS13"

<snip>
[ ~]$ oc patch hco kubevirt-hyperconverged -n openshift-cnv   --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13",ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"]}, type: "Custom"} }]'
Error from server (Forbidden): admission webhook "validate-hco.kubevirt.io" denied the request: custom ciphers cannot be selected when minTLSVersion is VersionTLS13
</snip>

With this observation, verifying this bug.

Note You need to log in before you can comment on or make changes to this bug.