Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-58040

If custom TLS profile with only TLSv1.2 ciphersuites is specified, all the default TLSv1.3 ciphersuites are also allowed

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.16.z, 4.19
    • Networking / router
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • Rejected
    • NI&D Sprint 273, NI&D Sprint 274, NI&D Sprint 278
    • 3
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem

      If a custom ciphersuite list with only TLSv1.2 ciphersuites is specified, all the TLSv1.3 ciphersuites are allowed.

      Version-Release number of selected component (if applicable)

      Initially tested on 4.16.41, most likely it reproduces at any version

      How reproducible

      Always

      Steps to Reproduce

      1. Setup custom ciphersuite list with ciphersuites only valid for TLSv1.2
      2. Run nmap ssl-enum-ciphers script, like: nmap -sV --script ssl-enum-ciphers -p 443 testing.apps.example.net
      3.

      Actual results

      NMap shows that for TLSv1.2 the router allows the indicated ciphersuites, but it also allows all the default cipherstuites for TLSv1.3.

      Expected results

      Only the listed ciphersuites to be allowed, even if that means not allowing TLSv1.3 at all.

      Additional info

      Most likely reason for this to happen is that, if no TLSv1.3 ciphersuite is added, cluster-ingress-operator doesn't set the ROUTER_CIPHERSUITES environment variable[1], which causes that no ssl-default-bind-ciphersuites config is added[2], so HAProxy falls back to its default[3].

      As a side note, if FIPS is enabled, only the FIPS-compliant default ciphersuites are allowed.

      [1] - https://github.com/openshift/cluster-ingress-operator/blob/be41be00b822b820b03a7190732e3fc983efddf3/pkg/operator/controller/ingress/deployment.go#L964-L969
      [2] - https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L125-L127
      [3] - https://docs.haproxy.org/2.8/configuration.html#ciphersuites%20(Bind%20options)

              mmasters1@redhat.com Miciah Masters
              rhn-support-palonsor Pablo Alonso Rodriguez
              None
              None
              Melvin Joseph Melvin Joseph
              None
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: