Details
-
Feature Request
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
False
-
0
-
0%
-
Undefined
Description
1. Proposed title of this feature request
Ability to restrict ciphers used in oauth-proxy
2. What is the nature and description of the request?
Certain ciphers in oauth-proxy are considered insecure and are requested to be dropped by the Federal Office for Information Security (Germany).
- BSI TR-02102-2
- Technical Guideline TR-02102-2 Cryptographic Mechanisms: Recommendations and Key Lengths
It's therefore requested to limit the ciphers in https://github.com/openshift/oauth-proxy/blob/release-4.6/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go#L255-L283 to the list from the above PDF or else provide functionality to specify the ciphers allowed via oauth-proxy command-line option.
3. Why does the customer need this? (List the business requirements here)
The ciphers considered secure by Federal Office for Information Security (Germany) are listed in BSI TR-02102-2 and companies in Germany are requested and recommended to follow these guidelines as strictly as possible to guarantee secure data exchange. Further in some areas the guidelines are mandatory to be followed and therefore customers have a need to comply accordingly with all tooling in use (including OpenShift Container Platform and oauth-proxy)
4. List any affected packages or components.
oauth-proxy
