Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-51080

Setting custom TLS profile in ingress controller, control plane and kubelet still report ports with unwanted encryption tls1_2: ECDHE-RSA-CHACHA20-POLY1305 - port 17697

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • 4.14
    • openshift-apiserver
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      A customer is configuring custom TLS profiles on Ingress Controller, control plane and kubelet (doc),  However, the use of the unwanted ECDHE-RSA-CHACHA20-POLY1305 cipher is reported.  

$ oc get apiserver/cluster -o json | jq  .spec.tlsSecurityProfile
{
  "custom": {
    "ciphers": [
      "ECDHE-RSA-AES128-GCM-SHA256",
      "ECDHE-RSA-AES256-GCM-SHA384",
      "ECDHE-ECDSA-AES128-GCM-SHA256",
      "ECDHE-ECDSA-AES256-GCM-SHA384"
    ],
    "minTLSVersion": "VersionTLS12"
  },
  "type": "Custom"
}  

      Version-Release number of selected component (if applicable):

      OCP 4.14.10      

      How reproducible:

      Configure the custom profiles according to the documentation:
https://docs.openshift.com/container-platform/4.14/security/tls-security-profiles.html    

      Steps to Reproduce:

       1. Details of the custom TLS profiles configured: $ oc get ingresscontrollers/default -n openshift-ingress-operator -o json  | jq  .spec.tlsSecurityProfile
{
  "custom": {
    "ciphers": [
      "ECDHE-RSA-AES128-GCM-SHA256",
      "ECDHE-RSA-AES256-GCM-SHA384",
      "ECDHE-ECDSA-AES128-GCM-SHA256",
      "ECDHE-ECDSA-AES256-GCM-SHA384"
    ],
    "minTLSVersion": "VersionTLS12"
  },
  "type": "Custom"
}$ oc get apiserver/cluster -o json | jq  .spec.tlsSecurityProfile
{
  "custom": {
    "ciphers": [
      "ECDHE-RSA-AES128-GCM-SHA256",
      "ECDHE-RSA-AES256-GCM-SHA384",
      "ECDHE-ECDSA-AES128-GCM-SHA256",
      "ECDHE-ECDSA-AES256-GCM-SHA384"
    ],
    "minTLSVersion": "VersionTLS12"
  },
  "type": "Custom"
}$ oc get kubeletconfig/mycustomkubelet -o json | jq  .spec.tlsSecurityProfile
{
  "custom": {
    "ciphers": [
      "ECDHE-RSA-AES128-GCM-SHA256",
      "ECDHE-RSA-AES256-GCM-SHA384",
      "ECDHE-ECDSA-AES128-GCM-SHA256",
      "ECDHE-ECDSA-AES256-GCM-SHA384"
    ],
    "minTLSVersion": "VersionTLS12"
  },
  "type": "Custom"
}

2. Bash test:

$ for port in 17697 10357 9100 9001 10259 22623 6443 2379 10250 9978 10257 2380 9099 9192 9104 1936 443 ; do for node in `cat /tmp/hostlist`; do for v in ssl2 ssl3 tls1 tls1_1 tls1_2; do for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do timeout 4 openssl s_client -connect $node:$port -cipher $c -$v < /dev/null > /dev/null 2>&1 ; [[ $? -eq 0 ]] && echo -e "$node:$port $v: $c"; done; done; done; done              

      Actual results:

      master:17697 tls1_2: ECDHE-RSA-CHACHA20-POLY1305  

      Expected results:

      Additional info:

              Unassigned Unassigned
              rhn-support-macastil Mario Castillo
              None
              None
              Rahul Gangwar Rahul Gangwar
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: