Description of problem

If a custom ciphersuite list with only TLSv1.2 ciphersuites is specified, all the TLSv1.3 ciphersuites are allowed.

Version-Release number of selected component (if applicable)

Initially tested on 4.16.41, most likely it reproduces at any version

How reproducible

Always

Steps to Reproduce

1. Setup custom ciphersuite list with ciphersuites only valid for TLSv1.2
2. Run nmap ssl-enum-ciphers script, like: nmap -sV --script ssl-enum-ciphers -p 443 testing.apps.example.net
3.

Actual results

NMap shows that for TLSv1.2 the router allows the indicated ciphersuites, but it also allows all the default cipherstuites for TLSv1.3.

Expected results

Only the listed ciphersuites to be allowed, even if that means not allowing TLSv1.3 at all.

Additional info

Most likely reason for this to happen is that, if no TLSv1.3 ciphersuite is added, cluster-ingress-operator doesn't set the ROUTER_CIPHERSUITES environment variable[1], which causes that no ssl-default-bind-ciphersuites config is added[2], so HAProxy falls back to its default[3].

As a side note, if FIPS is enabled, only the FIPS-compliant default ciphersuites are allowed.

[1] - https://github.com/openshift/cluster-ingress-operator/blob/be41be00b822b820b03a7190732e3fc983efddf3/pkg/operator/controller/ingress/deployment.go#L964-L969
[2] - https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L125-L127
[3] - https://docs.haproxy.org/2.8/configuration.html#ciphersuites%20(Bind%20options)