Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3917

TLS connection to reencrypt route fails on FIPS cluster depending on certain client cipher order

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Normal Normal
    • None
    • 4.11, 4.8, 4.14.z, 4.16.z
    • Networking / router
    • None
    • Important
    • None
    • Sprint 228, Sprint 229, Sprint 230, Sprint 231, Sprint 232, Sprint 233, Sprint 234
    • 7
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      On FIPS enabled clusters, request to a reencrypt route fail, if the cipher TLS_CHACHA20_POLY1305_SHA256 }}is first in the list of ciphers of the client. The router access logs show {{fe_sni/1: SSL handshake failure. }}Apart from that, no further useful information about the error is provided. Our clients connect to a service behind a {{reencrypt route from a VSCode extension. Hence we have no control over the client and have no influence over the cipher order. We were able to reproduce the issue with curl as well. As long {{TLS_CHACHA20_POLY1305_SHA256 }}is not first in the list of ciphers, everything works without any issues.

       

      Reproduced on OCP 4.8 & 4.11

       

      Steps to Reproduce:

      1. Ensure the cluster is FIPS enabled
2. Perform a curl against any reencrypt route, while specifying TLS_CHACHA20_POLY1305_SHA256 as primary TLS 1.3 cipher

curl -kL --tls13-ciphers TLS_CHACHA20_POLY1305_SHA256 --ciphers TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256 https://console-openshift-console.apps.salmons.cp.fyre.ibm.com

      Actual results:

      curl -kL --tls13-ciphers TLS_CHACHA20_POLY1305_SHA256 --ciphers TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256 https://console-openshift-console.apps.salmons.cp.fyre.ibm.com
*   Trying 9.46.193.35:443...
* Connected to console-openshift-console.apps.salmons.cp.fyre.ibm.com (9.46.193.35) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* Cipher selection: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256
* TLS 1.3 cipher selection: TLS_CHACHA20_POLY1305_SHA256
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to console-openshift-console.apps.salmons.cp.fyre.ibm.com:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to console-openshift-console.apps.salmons.cp.fyre.ibm.com:443

      Expected results:

      A HTTP 200

      Additional info:

      Access logs from routeer:

      2022-10-13T09:32:54.058359+00:00 worker1 worker1.fips4md.cp.fyre.ibm.com haproxy[31]: 10.17.96.220:53880 [13/Oct/2022:09:32:53.873] fe_sni/1: SSL handshake failure
2022-10-13T09:32:54.241120+00:00 worker1 worker1.fips4md.cp.fyre.ibm.com haproxy[31]: 10.17.96.220:53880 [13/Oct/2022:09:32:53.870] public_ssl be_sni/fe_sni 3/0/371 99 -- 2/2/0/0/0 0/0

      We've also changed the tlsSecurityProfile in the IngressController to remove TLS_CHACHA20_POLY1305_SHA25 }}using the {{custom security profile. This did not work either.

       

              mmasters1@redhat.com Miciah Masters
              mdaschner Michael Daschner (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: