Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-22160

[2139222] tlsSecurityProfile `Old` does not work on FIPS enabled cluster

    XMLWordPrintable

Details

    • Medium

    Description

      Description of problem:
      On a cluster with FIPS mode enabled it is not possible to connect to virt-api with old TLS versions (v1.0 and v1.1).

      I can set `tlsSecurityProfile: type: Old` and the configuration is successfully propagated to the Kubevirt:

      $ oc get kubevirt kubevirt-kubevirt-hyperconverged -n openshift-cnv -o json | jq .spec.configuration.tlsConfiguration
      {
      "ciphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
      "TLS_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_RSA_WITH_AES_128_CBC_SHA",
      "TLS_RSA_WITH_AES_256_CBC_SHA",
      "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
      ],
      "minTLSVersion": "VersionTLS10"
      }

      But virt-api still allows only TLS v1.2:

      $ nmap --script ssl-enum-ciphers -p 1443 127.0.0.1
      Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-01 17:31 EDT
      Nmap scan report for localhost (127.0.0.1)
      Host is up (0.000078s latency).

      PORT STATE SERVICE
      1443/tcp open ies-lm

      ssl-enum-ciphers:
      TLSv1.2:
      ciphers:
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
      TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
      TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
      compressors:
      NULL
      cipher preference: server
      _ least strength: A

      Nmap done: 1 IP address (1 host up) scanned in 13.32 seconds

      Version-Release number of selected component (if applicable):
      4.12 cluster with FIPS mode enabled

      Actual results:
      Only TLS v1.2 allowed even when "minTLSVersion" set to lower version

      Expected results:
      Allow access with specified ciphers and `minTLSVersion` parameters

      Additional info:
      If it is expected behavior for FIPS cluster - probably need to have a note in docs

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. CNV-24435 [2161719] After HCO crypto policy set to 'Old', connection doesn't use TLSv1.1

          • Closed
          external trackers

          Web Link Red Hat Issue Tracker CNV-22160

          Activity

            People

              sgott@redhat.com Stuart Gott
              dshchedr@redhat.com Denys Shchedrivyi
              Kedar Bidarkar Kedar Bidarkar
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: