Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-25184

Presence of ChaCha20 ciphers on FIPS enabled ROSA cluster

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • No
    • None
    • Rejected
    • Sprint 254, NE Sprint 255, NE Sprint 256, NE Sprint 257, NE Sprint 263, NI&D Sprint 273, NI&D Sprint 274, NI&D Sprint 279
    • 8
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      CHACHA20 Cipher suits are not compatible with FIPS enabled clusters. 
The cluster is allowing non-FIPS compliant cipher suites via the OpenShift router, causing an issue during the TLS exchange. Specifically, the CHACHA20 cipher is causing the problem as it is not FIPS compliant.
 
 
The following are created by ROSA router by default tlsProfile:
 
ciphers: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: VersionTLS1

      Actual results:

          Unsupported cipher suits present in FIPS mode ROSA clusters

      Expected results:

          There shouldn't be unsupported cipher suits in FIPS mode ROSA clusters

      Additional info:

              mmasters1@redhat.com Miciah Masters
              rhn-support-akadanna Archith Kadanna Palli
              None
              None
              Melvin Joseph Melvin Joseph
              None
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: