Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-6824

MTT: TestSSL testcase failed against the 2.6 SMCP in FIPS cluster

XMLWordPrintable

      Server cipher order is not being enforced in 2.6 proxy on FIPS cluster.
      `./testssl/testssl.sh -P -6 productpage:9080` fails on:

       Has server cipher order?     no (NOT ok)

      =====

      SMCP:

      spec:
  security:
    dataPlane:
      mtls: true
    controlPlane:
      mtls: true
      tls:
        minProtocolVersion: TLSv1_2
        maxProtocolVersion: TLSv1_2
        cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        ecdhCurves:
        - CurveP256
        - CurveP384

      Results of command `./testssl/testssl.sh -P -6 productpage:9080` in the testssl container https://github.com/maistra/maistra-test-tool/blob/main/pkg/tests/ossm/testssl_test.go#L98

      SMCP v2.6 fips cluster

       Using "OpenSSL 1.1.1g FIPS  21 Apr 2020" [~46 ciphers]
 on testssl-556b48c878-t9hfp:/usr/bin/openssl
 (built: "Mar 25 16:46:53 2021", platform: "linux-x86_64")


 Start 2024-07-15 14:22:52        -->> 172.30.73.114:9080 (productpage) <<--

 rDNS (172.30.73.114):   productpage.bookinfo.svc.cluster.local.
 Testing with productpage:9080 only worked using /usr/bin/openssl.
 Test results may be somewhat better if the --ssl-native option is used.
 Type "yes" to proceed and accept false negatives or positives --> yes
 Service detected:       certificate-based authentication => skipping all HTTP checks


 Testing server preferences 

 Has server cipher order?     no (NOT ok)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) (limited sense as client will pick)
 Negotiated cipher per proto  (limited sense as client will pick)
     ECDHE-RSA-AES128-GCM-SHA256:   TLSv1.2
 No further cipher order check has been done as order is determined by the client


 Done 2024-07-15 14:22:56 [   8s] -->> 172.30.73.114:9080 (productpage) <<--

      SMCP v2.6 no fips cluster

       Using "OpenSSL 1.1.1g FIPS  21 Apr 2020" [~85 ciphers]
 on testssl-556b48c878-lj4cq:/usr/bin/openssl
 (built: "Mar 25 16:46:53 2021", platform: "linux-x86_64")


 Start 2024-07-15 14:29:46        -->> 172.30.199.21:9080 (productpage) <<--

 rDNS (172.30.199.21):   productpage.bookinfo.svc.cluster.local.
 Service detected:       certificate-based authentication => skipping all HTTP checks


 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Cipher order
    TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 


 Done 2024-07-15 14:29:50 [   8s] -->> 172.30.199.21:9080 (productpage) <<--

      SMCP v2.5 fips cluster

       Using "OpenSSL 1.1.1g FIPS  21 Apr 2020" [~46 ciphers]
 on testssl-556b48c878-4d75m:/usr/bin/openssl
 (built: "Mar 25 16:46:53 2021", platform: "linux-x86_64")


 Start 2024-07-15 14:20:01        -->> 172.30.187.25:9080 (productpage) <<--

 rDNS (172.30.187.25):   productpage.bookinfo.svc.cluster.local.
 Service detected:       certificate-based authentication => skipping all HTTP checks


 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Cipher order
    TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 


 Done 2024-07-15 14:20:04 [   7s] -->> 172.30.187.25:9080 (productpage) <<--

            mkralik@redhat.com Matej Kralik
            mkralik@redhat.com Matej Kralik
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: