Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-25184

Presence of ChaCha20 ciphers on FIPS enabled ROSA cluster

XMLWordPrintable

    • No
    • Sprint 254, NE Sprint 255, NE Sprint 256
    • 3
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      CHACHA20 Cipher suits are not compatible with FIPS enabled clusters. 
      The cluster is allowing non-FIPS compliant cipher suites via the OpenShift router, causing an issue during the TLS exchange. Specifically, the CHACHA20 cipher is causing the problem as it is not FIPS compliant.
       
       
      The following are created by ROSA router by default tlsProfile:
       
      ciphers: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: VersionTLS1
      

      Actual results:

          Unsupported cipher suits present in FIPS mode ROSA clusters

      Expected results:

          There shouldn't be unsupported cipher suits in FIPS mode ROSA clusters

      Additional info:

          

            mmasters1@redhat.com Miciah Masters
            rhn-support-akadanna Archith Kadanna Palli
            Melvin Joseph Melvin Joseph
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: