subject:"Openshift router certificate chain"

Re: Openshift router certificate chain

2017-11-17 Thread Clayton Coleman

Sha1 may not even be in “old” (because I believe it’s now considered
broken.  If you need it, you’ll have to edit the router template with that
cipher.

On Nov 17, 2017, at 7:49 AM, Mateus Caruccio 
wrote:

What is the value of `ROUTER_CIPHERS`?

$ oc -n default env --list dc/router | grep ROUTER_CIPHERS

Maybe you need to set it to `old` in order to support sha1.



--
Mateus Caruccio / Master of Puppets
GetupCloud.com
We make the infrastructure invisible
Gartner Cool Vendor 2017

2017-11-17 10:42 GMT-02:00 Marcello Lorenzi :

> Hi Mateus,
> this is the output reported:
>
>
>   # Prevent vulnerability to POODLE attacks
>   ssl-default-bind-options no-sslv3
>
> # The default cipher suite can be selected from the three sets recommended
> by https://wiki.mozilla.org/Security/Server_Side_TLS,
> # or the user can provide one using the ROUTER_CIPHERS environment
> variable.
> # By default when a cipher set is not provided, intermediate is used.
> {{- if eq (env "ROUTER_CIPHERS" "intermediate") "modern" }}
>   # Modern cipher suite (no legacy browser support) from
> https://wiki.mozilla.org/Security/Server_Side_TLS
>   tune.ssl.default-dh-param 2048
>   ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:
> ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:
> ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
> {{ else }}
>
>   {{- if eq (env "ROUTER_CIPHERS" "intermediate") "intermediate" }}
>   # Intermediate cipher suite (default) from https://wiki.mozilla.org/
> Security/Server_Side_TLS
>   tune.ssl.default-dh-param 2048
>   ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:
> ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
> ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-
> RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-
> AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-
> SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:
> ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-
> SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-
> AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-
> SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-
> SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
>   {{ else }}
>
> {{- if eq (env "ROUTER_CIPHERS" "intermediate") "old" }}
>
>   # Old cipher suite (maximum compatibility but insecure) from
> https://wiki.mozilla.org/Security/Server_Side_TLS
>   tune.ssl.default-dh-param 1024
>   ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:
> ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
> ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-
> DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
> ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
> AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
> SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-
> AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:
> EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:
> AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-
> CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!
> PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
>
> {{- else }}
>   # user provided list of ciphers (Colon separated list as seen above)
>   # the env default is not used here since we can't get here with empty
> ROUTER_CIPHERS
>   tune.ssl.default-dh-param 2048
>   ssl-default-bind-ciphers {{env "ROUTER_CIPHERS" "ECDHE-ECDSA-CHACHA20-
> POLY1305"}}
> {{- end }}
>   {{- end }}
> {{- end }}
>
> defaults
>   maxconn {{env "ROUTER_MAX_CONNECTIONS" "2"}}
>
>   # Add x-forwarded-for header.
> {{- if ne (env "ROUTER_SYSLOG_ADDRESS" "") "" }}
>   {{- if ne (env "ROUTER_SYSLOG_FORMAT" "") "" }}
>
> Marcello
>
> On Fri, Nov 17, 2017 at 1:36 PM, Mateus Caruccio <
> mateus.caruc...@getupcloud.com> wrote:
>
>> Hey Marcello.
>>
>> Correct me if I'm wrong, but you could look into haproxy's config and set
>> all ciphers you need:
>>
>> $ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers
>> haproxy-config.template
>>
>> There is this env var `ROUTER_CIPHERS` you can choose standard profiles
>> (modern|intermediate|old) or define your own list.
>>
>> Hope this help.
>>
>> Mateus
>>
>>
>> --
>> Mateus Caruccio / Master of Puppets
>> GetupCloud.com
>> We make the infrastructure invisible
>> Gartner Cool Vendor 2017
>>
>> 2017-11-17 10:28 GMT-02:00 Marcello Lorenzi :
>>
>>> Hi All,
>>> we tried to configure a new route on Openshift Origin 3.6 to expose a
>>> pod where the

Re: Openshift router certificate chain

2017-11-17 Thread Mateus Caruccio

What is the value of `ROUTER_CIPHERS`?

$ oc -n default env --list dc/router | grep ROUTER_CIPHERS

Maybe you need to set it to `old` in order to support sha1.



--
Mateus Caruccio / Master of Puppets
GetupCloud.com
We make the infrastructure invisible
Gartner Cool Vendor 2017

2017-11-17 10:42 GMT-02:00 Marcello Lorenzi :

> Hi Mateus,
> this is the output reported:
>
>
>   # Prevent vulnerability to POODLE attacks
>   ssl-default-bind-options no-sslv3
>
> # The default cipher suite can be selected from the three sets recommended
> by https://wiki.mozilla.org/Security/Server_Side_TLS,
> # or the user can provide one using the ROUTER_CIPHERS environment
> variable.
> # By default when a cipher set is not provided, intermediate is used.
> {{- if eq (env "ROUTER_CIPHERS" "intermediate") "modern" }}
>   # Modern cipher suite (no legacy browser support) from
> https://wiki.mozilla.org/Security/Server_Side_TLS
>   tune.ssl.default-dh-param 2048
>   ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:
> ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:
> ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
> {{ else }}
>
>   {{- if eq (env "ROUTER_CIPHERS" "intermediate") "intermediate" }}
>   # Intermediate cipher suite (default) from https://wiki.mozilla.org/
> Security/Server_Side_TLS
>   tune.ssl.default-dh-param 2048
>   ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:
> ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
> ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-
> RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-
> AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-
> SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:
> ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-
> SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-
> AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-
> SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-
> SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
>   {{ else }}
>
> {{- if eq (env "ROUTER_CIPHERS" "intermediate") "old" }}
>
>   # Old cipher suite (maximum compatibility but insecure) from
> https://wiki.mozilla.org/Security/Server_Side_TLS
>   tune.ssl.default-dh-param 1024
>   ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:
> ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
> ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-
> DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
> ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
> AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
> SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-
> AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:
> EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:
> AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-
> CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!
> PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
>
> {{- else }}
>   # user provided list of ciphers (Colon separated list as seen above)
>   # the env default is not used here since we can't get here with empty
> ROUTER_CIPHERS
>   tune.ssl.default-dh-param 2048
>   ssl-default-bind-ciphers {{env "ROUTER_CIPHERS" "ECDHE-ECDSA-CHACHA20-
> POLY1305"}}
> {{- end }}
>   {{- end }}
> {{- end }}
>
> defaults
>   maxconn {{env "ROUTER_MAX_CONNECTIONS" "2"}}
>
>   # Add x-forwarded-for header.
> {{- if ne (env "ROUTER_SYSLOG_ADDRESS" "") "" }}
>   {{- if ne (env "ROUTER_SYSLOG_FORMAT" "") "" }}
>
> Marcello
>
> On Fri, Nov 17, 2017 at 1:36 PM, Mateus Caruccio <
> mateus.caruc...@getupcloud.com> wrote:
>
>> Hey Marcello.
>>
>> Correct me if I'm wrong, but you could look into haproxy's config and set
>> all ciphers you need:
>>
>> $ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers
>> haproxy-config.template
>>
>> There is this env var `ROUTER_CIPHERS` you can choose standard profiles
>> (modern|intermediate|old) or define your own list.
>>
>> Hope this help.
>>
>> Mateus
>>
>>
>> --
>> Mateus Caruccio / Master of Puppets
>> GetupCloud.com
>> We make the infrastructure invisible
>> Gartner Cool Vendor 2017
>>
>> 2017-11-17 10:28 GMT-02:00 Marcello Lorenzi :
>>
>>> Hi All,
>>> we tried to configure a new route on Openshift Origin 3.6 to expose a
>>> pod where the SSL termination is enabled. We have a problem to configure a
>>> re-encrypt route because we noticed that the application is not present on
>>> the router and after some investigation we discovered that the problem is
>>> related to pod

Re: Openshift router certificate chain

2017-11-17 Thread Marcello Lorenzi

Hi Mateus,
this is the output reported:


  # Prevent vulnerability to POODLE attacks
  ssl-default-bind-options no-sslv3

# The default cipher suite can be selected from the three sets recommended
by https://wiki.mozilla.org/Security/Server_Side_TLS,
# or the user can provide one using the ROUTER_CIPHERS environment variable.
# By default when a cipher set is not provided, intermediate is used.
{{- if eq (env "ROUTER_CIPHERS" "intermediate") "modern" }}
  # Modern cipher suite (no legacy browser support) from
https://wiki.mozilla.org/Security/Server_Side_TLS
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
{{ else }}

  {{- if eq (env "ROUTER_CIPHERS" "intermediate") "intermediate" }}
  # Intermediate cipher suite (default) from
https://wiki.mozilla.org/Security/Server_Side_TLS
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  {{ else }}

{{- if eq (env "ROUTER_CIPHERS" "intermediate") "old" }}

  # Old cipher suite (maximum compatibility but insecure) from
https://wiki.mozilla.org/Security/Server_Side_TLS
  tune.ssl.default-dh-param 1024
  ssl-default-bind-ciphers
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP

{{- else }}
  # user provided list of ciphers (Colon separated list as seen above)
  # the env default is not used here since we can't get here with empty
ROUTER_CIPHERS
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers {{env "ROUTER_CIPHERS"
"ECDHE-ECDSA-CHACHA20-POLY1305"}}
{{- end }}
  {{- end }}
{{- end }}

defaults
  maxconn {{env "ROUTER_MAX_CONNECTIONS" "2"}}

  # Add x-forwarded-for header.
{{- if ne (env "ROUTER_SYSLOG_ADDRESS" "") "" }}
  {{- if ne (env "ROUTER_SYSLOG_FORMAT" "") "" }}

Marcello

On Fri, Nov 17, 2017 at 1:36 PM, Mateus Caruccio <
mateus.caruc...@getupcloud.com> wrote:

> Hey Marcello.
>
> Correct me if I'm wrong, but you could look into haproxy's config and set
> all ciphers you need:
>
> $ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers
> haproxy-config.template
>
> There is this env var `ROUTER_CIPHERS` you can choose standard profiles
> (modern|intermediate|old) or define your own list.
>
> Hope this help.
>
> Mateus
>
>
> --
> Mateus Caruccio / Master of Puppets
> GetupCloud.com
> We make the infrastructure invisible
> Gartner Cool Vendor 2017
>
> 2017-11-17 10:28 GMT-02:00 Marcello Lorenzi :
>
>> Hi All,
>> we tried to configure a new route on Openshift Origin 3.6 to expose a pod
>> where the SSL termination is enabled. We have a problem to configure a
>> re-encrypt route because we noticed that the application is not present on
>> the router and after some investigation we discovered that the problem is
>> related to pod certificate chain. The chain is formed by:
>>
>> - root certificate sha1
>> - intermediate certificate sha256
>> - server certificate sha256
>>
>> We have update the root certificate to sha256 and all works fine.
>>
>> Could you confirm if the Openshift router doesn't support the sha1
>> certificate?
>>
>> Thanks,
>> Marcello
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
___
users

Re: Openshift router certificate chain

2017-11-17 Thread Mateus Caruccio

Hey Marcello.

Correct me if I'm wrong, but you could look into haproxy's config and set
all ciphers you need:

$ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers
haproxy-config.template

There is this env var `ROUTER_CIPHERS` you can choose standard profiles
(modern|intermediate|old) or define your own list.

Hope this help.

Mateus


--
Mateus Caruccio / Master of Puppets
GetupCloud.com
We make the infrastructure invisible
Gartner Cool Vendor 2017

2017-11-17 10:28 GMT-02:00 Marcello Lorenzi :

> Hi All,
> we tried to configure a new route on Openshift Origin 3.6 to expose a pod
> where the SSL termination is enabled. We have a problem to configure a
> re-encrypt route because we noticed that the application is not present on
> the router and after some investigation we discovered that the problem is
> related to pod certificate chain. The chain is formed by:
>
> - root certificate sha1
> - intermediate certificate sha256
> - server certificate sha256
>
> We have update the root certificate to sha256 and all works fine.
>
> Could you confirm if the Openshift router doesn't support the sha1
> certificate?
>
> Thanks,
> Marcello
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Openshift router certificate chain

2017-11-17 Thread Marcello Lorenzi

Hi All,
we tried to configure a new route on Openshift Origin 3.6 to expose a pod
where the SSL termination is enabled. We have a problem to configure a
re-encrypt route because we noticed that the application is not present on
the router and after some investigation we discovered that the problem is
related to pod certificate chain. The chain is formed by:

- root certificate sha1
- intermediate certificate sha256
- server certificate sha256

We have update the root certificate to sha256 and all works fine.

Could you confirm if the Openshift router doesn't support the sha1
certificate?

Thanks,
Marcello
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Openshift router certificate chain

Re: Openshift router certificate chain

Re: Openshift router certificate chain

Re: Openshift router certificate chain

Openshift router certificate chain

5 matches

Site Navigation

Mail list logo

Footer information