-
Bug
-
Resolution: Won't Do
-
None
-
False
-
-
False
-
CLOSED
-
---
-
---
-
-
-
High
-
None
Description of problem:
------------------------
With the default tlsSecurityProfile (intermediate profile), connection validation for the components: virt-api, cdi-api, ssp-operator-service, ssp-operator-metrics, hostpath-provisioner-operator-service and kube-macpool-service, fails for TLS v1.2
sh-5.1# openssl s_client -connect 172.30.29.99:443 -tls1_3 -brief <<< 'Q' 2>&1 | grep 'Protocol version'
Protocol version: TLSv1.3
sh-5.1# openssl s_client -connect 172.30.29.99:443 -tls1_2 -brief <<< 'Q' 2>&1 | grep 'Protocol version'
sh-5.1# openssl s_client -connect 172.30.29.99:443 -tls1_1 -brief <<< 'Q' 2>&1 | grep 'Protocol version'
sh-5.1#
sh-5.1# openssl s_client -connect 172.30.29.99:443 -tls1_2 -brief <<< 'Q' 2>&1
Can't use SSL_get_servername
depth=0 CN = virt-api.openshift-cnv.pod.cluster.local
verify error:num=20:unable to get local issuer certificate
depth=0 CN = virt-api.openshift-cnv.pod.cluster.local
verify error:num=21:unable to verify the first certificate
805BCA1FBB7F0000:error:1C8000E9:Provider routines:kdf_tls1_prf_derive:ems not enabled:providers/implementations/kdfs/tls1_prf.c:194:
805BCA1FBB7F0000:error:0A08010C:SSL routines:tls1_PRF:unsupported:ssl/t1_enc.c:83:
Version-Release number of selected component (if applicable):
--------------------------------------------------------------
CNV v4.13.3 & CNV 4.14
How reproducible:
-----------------
Always
Steps to Reproduce:
-------------------
0. Create a 6 node cluster ( 3 master + 3 worker ) with FIPS enabled.
1. Get the IP & port number of a service 'virt-api'
- oc get service -n openshift-cnv | grep virt-api
virt-api ClusterIP 172.30.29.99 <none> 443/TCP 17h2.
2. Validate the connection from one of the worker node
- oc debug node/<worker-node>
- chroot /host
- openssl s_client -connect 172.30.29.99:443 -tls1_2 -brief <<< 'Q' 2>&1
Actual results:
---------------
Error when validating the connection with TLS v1.2
sh-5.1# openssl s_client -connect 172.30.29.99:443 -tls1_2 -brief <<< 'Q' 2>&1
Can't use SSL_get_servername
depth=0 CN = virt-api.openshift-cnv.pod.cluster.local
verify error:num=20:unable to get local issuer certificate
depth=0 CN = virt-api.openshift-cnv.pod.cluster.local
verify error:num=21:unable to verify the first certificate
801BD9D4EC7F0000:error:1C8000E9:Provider routines:kdf_tls1_prf_derive:ems not enabled:providers/implementations/kdfs/tls1_prf.c:194:
801BD9D4EC7F0000:error:0A08010C:SSL routines:tls1_PRF:unsupported:ssl/t1_enc.c:83:
Expected results:
-----------------
Connection validation should be successful with TLS v1.2, like the same way it happens for TLS v1.3
sh-5.1# openssl s_client -connect 172.30.29.99:443 -tls1_3 -brief <<< 'Q' 2>&1
Can't use SSL_get_servername
depth=0 CN = virt-api.openshift-cnv.pod.cluster.local
verify error:num=20:unable to get local issuer certificate
depth=0 CN = virt-api.openshift-cnv.pod.cluster.local
verify error:num=21:unable to verify the first certificate
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Peer certificate: CN = virt-api.openshift-cnv.pod.cluster.local
Hash used: SHA256
Signature type: ECDSA
Verification error: unable to verify the first certificate
Server Temp Key: ECDH, prime256v1, 256 bits
DONE
Additional info:
-----------------
This issue is also found with CNV v4.14
- external trackers
