Details
-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
False
-
None
-
False
-
Moderate
Description
As per the documentation, specify the required cipherSuites in OSSM SMCP.
For reference, I specified the below cipherSuites.
oc get smcp basic -oyaml -n istio-system
...
spec
security:
controlPlane:
mtls: true
tls:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
However, the istio route isn't accessible with the specified ciphers at all.
> curl -kv https://httpd.apps.ayush.example.com --ciphers ECDHE-ECDSA-AES128-GCM-SHA256 --tlsV1.2 --tls-max 1.2 * Trying 10.74.208.75:443... * Connected to httpd.apps.ayush.example.com (10.74.208.75) port 443 (#0) * ALPN: offers h2,http/1.1 * Cipher selection: ECDHE-ECDSA-AES128-GCM-SHA256 * (304) (OUT), TLS handshake, Client hello (1): * LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure * Closing connection 0 curl: (35) LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure > curl -kv https://httpd.apps.ayush.example.com --ciphers ECDHE-ECDSA-AES256-GCM-SHA384 --tlsV1.2 --tls-max 1.2 * Trying 10.74.208.75:443... * Connected to httpd.apps.ayush.example.com (10.74.208.75) port 443 (#0) * ALPN: offers h2,http/1.1 * Cipher selection: ECDHE-ECDSA-AES256-GCM-SHA384 * (304) (OUT), TLS handshake, Client hello (1): * LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure * Closing connection 0 curl: (35) LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
OCP Cluster Version: 4.13.4
OSSM Operator Version: 2.4.2-0
SMCP Version: 2.4.2
For reproducing the issue, I deployed a sample HTTPD and created a secured gateway.
--> https://github.com/ay-garg/OpenShift-Service-Mesh-Secured-Gateway
