Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-21547

[2130588] crypto-policy : Common Ciphers support by apiserver and hco

XMLWordPrintable

    • CNV I/U Operators Sprint 226, CNV I/U Operators Sprint 227, CNV I/U Operators Sprint 228

      Description of problem:

      – patch apiserver with ciphers ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]

      $ oc patch apiserver --type=json cluster -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom:

      {minTLSVersion: "VersionTLS12", ciphers: ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]}

      , type: "Custom"} }]'
      The APIServer "cluster" is invalid:

      • spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string {"DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"}: no supported cipher suite found
        * spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string{"DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"}

        : http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256)

      – patch hco with ciphers ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]

      $ oc patch hco -n openshift-cnv --type=json kubevirt-hyperconverged -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom:

      {minTLSVersion: "VersionTLS12", ciphers: ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]}

      , type: "Custom"} }]'
      hyperconverged.hco.kubevirt.io/kubevirt-hyperconverged patched

      cipher ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256 is mandatory for now for apiserver.

      Version-Release number of selected component (if applicable):
      4.12 with FIPS

      How reproducible:
      always

      Steps to Reproduce:
      1.try to patch apiserver and hco
      2.
      3.

      Actual results:

      supported ciphers should be in sync. Here we see some of the ciphers which are not accepted by apiserver while they are accepted by hco

      Expected results:
      common ciphers should be supported by all

      Additional info:

      $ oc patch apiserver --type=json cluster -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom:

      {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"]}

      , type: "Custom"} }]'
      The APIServer "cluster" is invalid:

      • spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string {"TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"}

        : no supported cipher suite found

      • spec.tlsSecurityProfile.custom.minTLSVersion: Unsupported value: "VersionTLS13": supported values: "VersionTLS10", "VersionTLS11", "VersionTLS12"

      --> No support for TLS 1.3 at the moment

            jvilaca@redhat.com João Vilaça
            gkapoor@redhat.com Geetika Kapoor
            Geetika Kapoor Geetika Kapoor
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: