Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-25184

Presence of ChaCha20 ciphers on FIPS enabled ROSA cluster

    XMLWordPrintable

Details

    • No
    • Sprint 246, Sprint 247, Sprint 248, Sprint 249, Sprint 250, Sprint 251, Sprint 252, Sprint 253
    • 8
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      CHACHA20 Cipher suits are not compatible with FIPS enabled clusters. 
The cluster is allowing non-FIPS compliant cipher suites via the OpenShift router, causing an issue during the TLS exchange. Specifically, the CHACHA20 cipher is causing the problem as it is not FIPS compliant.
 
 
The following are created by ROSA router by default tlsProfile:
 
ciphers: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: VersionTLS1

      Actual results:

          Unsupported cipher suits present in FIPS mode ROSA clusters

      Expected results:

          There shouldn't be unsupported cipher suits in FIPS mode ROSA clusters

      Additional info:

      Attachments

        Activity

          People

            mmasters1@redhat.com Miciah Masters
            rhn-support-akadanna Archith Kadanna Palli
            Melvin Joseph Melvin Joseph
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: