Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-58475

Use of insecure cipher warning info in CMO logs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • 4.20.0
    • 4.18.z, 4.19.z, 4.20.0
    • Monitoring
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • 5
    • Low
    • None
    • None
    • Mon Sprint 273, MON Sprint 274, MON Sprint 275
    • 3
    • Done
    • Bug Fix
    • Hide
      Cluster Monitoring Operator applies secure TLS settings to resolve cipher warnings::
      Before this update, the Cluster Monitoring Operator logged warnings about insecure TLS ciphers, which could raise concerns about security. This release configures secure TLS settings, removing those cipher warnings from the logs and ensuring the operator reports correct, secure TLS configurations.
      +
      link:https://issues.redhat.com/browse/OCPBUGS-58475[OCPBUGS-58475]
      Show
      Cluster Monitoring Operator applies secure TLS settings to resolve cipher warnings:: Before this update, the Cluster Monitoring Operator logged warnings about insecure TLS ciphers, which could raise concerns about security. This release configures secure TLS settings, removing those cipher warnings from the logs and ensuring the operator reports correct, secure TLS configurations. + link: https://issues.redhat.com/browse/OCPBUGS-58475 [ OCPBUGS-58475 ]
    • None
    • None
    • None
    • None

      Description of problem:

      checked in 4.18.0-0.nightly-2025-07-07-070117/4.19.0-0.nightly-2025-07-02-143253/4.20.0-0.nightly-2025-07-07-092859, Use of insecure cipher warning info in CMO logs(it does not affect the function), example

      $ oc get clusterversion
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.20.0-0.nightly-2025-07-07-092859   True        True          42m     Cluster version is 4.20.0-0.nightly-2025-07-07-092859
      
      $ oc -n openshift-monitoring logs deploy/cluster-monitoring-operator | grep "insecure cipher"
      W0708 09:07:36.461485       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected.
      W0708 09:07:36.461517       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected.
      W0708 09:07:36.461525       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected.
      W0708 09:07:36.461529       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected.
      W0708 09:07:36.461535       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected.
      W0708 09:07:36.461548       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected.
      
      $ oc get kubeapiserver/cluster -o jsonpath='{.spec.observedConfig.servingInfo.cipherSuites}'  | jq
      [
        "TLS_AES_128_GCM_SHA256",
        "TLS_AES_256_GCM_SHA384",
        "TLS_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
      ]

      checked in pods, no pods use the insecure cipher, and pods cipher-suites is the same with that in kubeapiserver

      $ oc -n openshift-monitoring get po -oyaml | grep -E "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256|TLS_RSA_WITH_AES_128_GCM_SHA256|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_CBC_SHA|TLS_RSA_WITH_AES_256_CBC_SHA"
      no result
      
      $ oc -n openshift-monitoring get po prometheus-k8s-0 -oyaml
          - --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 

      Version-Release number of selected component (if applicable):

      4.18+

      How reproducible:

      always

      Steps to Reproduce:

      1. check CMO logs
          

      Actual results:

      Use of insecure cipher warning info in CMO logs

      Expected results:

      no warning

      Additional info:

      # oc get clusterversion
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.18.0-0.nightly-2025-07-07-070117   True        False         140m    Cluster version is 4.18.0-0.nightly-2025-07-07-070117
      
      # oc -n openshift-monitoring logs deploy/cluster-monitoring-operator | grep "insecure cipher"
      W0708 06:47:13.803305       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected.
      W0708 06:47:13.803337       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected.
      W0708 06:47:13.803377       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected.
      W0708 06:47:13.803403       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected.
      W0708 06:47:13.803429       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected.
      W0708 06:47:13.808797       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected.
      
      $ oc get clusterversion
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.19.0-0.nightly-2025-07-02-143253   True        True          52m     Cluster version is 4.19.0-0.nightly-2025-07-02-143253
      
      $ oc -n openshift-monitoring logs deploy/cluster-monitoring-operator | grep "insecure cipher"
      W0708 08:58:46.867671       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected.
      W0708 08:58:46.868754       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected.
      W0708 08:58:46.868787       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected.
      W0708 08:58:46.868812       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected.
      W0708 08:58:46.868829       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected.
      W0708 08:58:46.868844       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected.

              dmellado1@redhat.com Daniel Mellado Area
              juzhao@redhat.com Junqi Zhao
              None
              None
              Junqi Zhao Junqi Zhao
              Eliska Romanova Eliska Romanova
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: