Loading...

XML

Word

Printable

Details

Type: Ticket
Resolution: Not a Bug
Priority: Critical
Fix Version/s: None
Affects Version/s: OSSM 2.4.0
Component/s: Envoy
Labels:
- ENVOY
- Maistra
- OSSM
- cipher-suite
- istiod

Blocked:
False
Blocked Reason:
None
Ready:
False

SFDC Cases Links:
SFDC Cases Counter:

Description

The customer wanted to disable weak ciphers so added the following ciphers in SMCP.

> omg get smcp basic -oyaml
...
spec:
  addons:
    grafana:
      enabled: true
    jaeger:
      install:
        storage:
          type: Memory
    kiali:
      enabled: true
    prometheus:
      enabled: true
  policy:
    type: Istiod
  profiles:
  - default
  proxy:
    networking:
      protocol:
        autoDetect:
          inbound: true
          outbound: true
      trafficControl:
        outbound:
          includedIPRanges:
          - 10.128.0.0/16,172.30.0.0/16
  security:
    controlPlane:
      mtls: true
      tls:
        cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    dataPlane:
      automtls: true
      mtls: true

However, the istiod pod logs have following errors for `ECDHE-ECDSA-CHACHA20-POLY1305` and `ECDHE-RSA-CHACHA20-POLY1305` cipher suites.

> omg logs istiod-basic-758f779f6c-s5tx9
...
2023-08-25T13:10:08.161399128Z 2023-08-25T13:10:08.161320Z      info    ads     EDS: PUSH request for node:camunda-backup-28216150-5rfjr.camunda-dev resources:399 size:163.6kB empty:0 cached:399/399
2023-08-25T13:10:08.202092815Z 2023-08-25T13:10:08.202021Z      info    ads     LDS: PUSH request for node:camunda-backup-28216150-5rfjr.camunda-dev resources:131 size:320.3kB
2023-08-25T13:10:08.203672974Z 2023-08-25T13:10:08.203637Z      info    ads     NDS: PUSH request for node:camunda-backup-28216150-5rfjr.camunda-dev resources:1 size:57.4kB
2023-08-25T13:10:08.418616386Z 2023-08-25T13:10:08.418529Z      info    ads     RDS: PUSH request for node:camunda-backup-28216150-5rfjr.camunda-dev resources:60 size:261.1kB cached:54/60
2023-08-25T13:10:08.418616386Z 2023-08-25T13:10:08.418596Z      warn    ads     ADS:LDS: ACK ERROR camunda-backup-28216150-5rfjr.camunda-dev-625 Internal:Error adding/updating listener(s) virtualInbound: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305
2023-08-25T13:10:08.418616386Z 
2023-08-25T13:13:41.273585205Z 2023-08-25T13:13:41.273501Z      warn    Insecure first-party-jwt option used to validate token; use third-party-jwt

I am attaching the OSSM must-gather where the SMCP is present in `

istio-system-common` namespace.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Ayush Garg

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2023/08/25 5:08 PM

Updated:: 2023/11/14 5:17 PM

Resolved:: 2023/11/14 5:17 PM