-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.16.z, 4.19
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
Rejected
-
NI&D Sprint 273, NI&D Sprint 274, NI&D Sprint 278
-
3
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem
If a custom ciphersuite list with only TLSv1.2 ciphersuites is specified, all the TLSv1.3 ciphersuites are allowed.
Version-Release number of selected component (if applicable)
Initially tested on 4.16.41, most likely it reproduces at any version
How reproducible
Always
Steps to Reproduce
1. Setup custom ciphersuite list with ciphersuites only valid for TLSv1.2
2. Run nmap ssl-enum-ciphers script, like: nmap -sV --script ssl-enum-ciphers -p 443 testing.apps.example.net
3.
Actual results
NMap shows that for TLSv1.2 the router allows the indicated ciphersuites, but it also allows all the default cipherstuites for TLSv1.3.
Expected results
Only the listed ciphersuites to be allowed, even if that means not allowing TLSv1.3 at all.
Additional info
Most likely reason for this to happen is that, if no TLSv1.3 ciphersuite is added, cluster-ingress-operator doesn't set the ROUTER_CIPHERSUITES environment variable[1], which causes that no ssl-default-bind-ciphersuites config is added[2], so HAProxy falls back to its default[3].
As a side note, if FIPS is enabled, only the FIPS-compliant default ciphersuites are allowed.
[1] - https://github.com/openshift/cluster-ingress-operator/blob/be41be00b822b820b03a7190732e3fc983efddf3/pkg/operator/controller/ingress/deployment.go#L964-L969
[2] - https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L125-L127
[3] - https://docs.haproxy.org/2.8/configuration.html#ciphersuites%20(Bind%20options)