Details
-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.10.z
-
No
-
Sprint 246, Sprint 247, Sprint 248, Sprint 249, Sprint 250, Sprint 251, Sprint 252, Sprint 253
-
8
-
Rejected
-
False
-
Description
Description of problem:
CHACHA20 Cipher suits are not compatible with FIPS enabled clusters.
The cluster is allowing non-FIPS compliant cipher suites via the OpenShift router, causing an issue during the TLS exchange. Specifically, the CHACHA20 cipher is causing the problem as it is not FIPS compliant.
The following are created by ROSA router by default tlsProfile:
ciphers: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: VersionTLS1
Actual results:
Unsupported cipher suits present in FIPS mode ROSA clusters
Expected results:
There shouldn't be unsupported cipher suits in FIPS mode ROSA clusters
Additional info: