Re: Openshift router certificate chain
Sha1 may not even be in “old” (because I believe it’s now considered broken. If you need it, you’ll have to edit the router template with that cipher. On Nov 17, 2017, at 7:49 AM, Mateus Carucciowrote: What is the value of `ROUTER_CIPHERS`? $ oc -n default env --list dc/router | grep ROUTER_CIPHERS Maybe you need to set it to `old` in order to support sha1. -- Mateus Caruccio / Master of Puppets GetupCloud.com We make the infrastructure invisible Gartner Cool Vendor 2017 2017-11-17 10:42 GMT-02:00 Marcello Lorenzi : > Hi Mateus, > this is the output reported: > > > # Prevent vulnerability to POODLE attacks > ssl-default-bind-options no-sslv3 > > # The default cipher suite can be selected from the three sets recommended > by https://wiki.mozilla.org/Security/Server_Side_TLS, > # or the user can provide one using the ROUTER_CIPHERS environment > variable. > # By default when a cipher set is not provided, intermediate is used. > {{- if eq (env "ROUTER_CIPHERS" "intermediate") "modern" }} > # Modern cipher suite (no legacy browser support) from > https://wiki.mozilla.org/Security/Server_Side_TLS > tune.ssl.default-dh-param 2048 > ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384: > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305: > ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384: > ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 > {{ else }} > > {{- if eq (env "ROUTER_CIPHERS" "intermediate") "intermediate" }} > # Intermediate cipher suite (default) from https://wiki.mozilla.org/ > Security/Server_Side_TLS > tune.ssl.default-dh-param 2048 > ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305: > ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384: > ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE- > RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA- > AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256- > SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384: > ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128- > SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA- > AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3- > SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM- > SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS > {{ else }} > > {{- if eq (env "ROUTER_CIPHERS" "intermediate") "old" }} > > # Old cipher suite (maximum compatibility but insecure) from > https://wiki.mozilla.org/Security/Server_Side_TLS > tune.ssl.default-dh-param 1024 > ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305: > ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256: > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384: > ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE- > DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128- > SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA: > ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- > AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256- > SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128- > SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA- > AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA: > EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384: > AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES- > CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:! > PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP > > {{- else }} > # user provided list of ciphers (Colon separated list as seen above) > # the env default is not used here since we can't get here with empty > ROUTER_CIPHERS > tune.ssl.default-dh-param 2048 > ssl-default-bind-ciphers {{env "ROUTER_CIPHERS" "ECDHE-ECDSA-CHACHA20- > POLY1305"}} > {{- end }} > {{- end }} > {{- end }} > > defaults > maxconn {{env "ROUTER_MAX_CONNECTIONS" "2"}} > > # Add x-forwarded-for header. > {{- if ne (env "ROUTER_SYSLOG_ADDRESS" "") "" }} > {{- if ne (env "ROUTER_SYSLOG_FORMAT" "") "" }} > > Marcello > > On Fri, Nov 17, 2017 at 1:36 PM, Mateus Caruccio < > mateus.caruc...@getupcloud.com> wrote: > >> Hey Marcello. >> >> Correct me if I'm wrong, but you could look into haproxy's config and set >> all ciphers you need: >> >> $ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers >> haproxy-config.template >> >> There is this env var `ROUTER_CIPHERS` you can choose standard profiles >> (modern|intermediate|old) or define your own list. >> >> Hope this help. >> >> Mateus >> >> >> -- >> Mateus Caruccio / Master of Puppets >> GetupCloud.com >> We make the infrastructure invisible >> Gartner Cool Vendor 2017 >> >> 2017-11-17 10:28 GMT-02:00 Marcello Lorenzi : >> >>> Hi All, >>> we tried to configure a new route on Openshift Origin 3.6 to expose a >>> pod where the
Re: Openshift router certificate chain
What is the value of `ROUTER_CIPHERS`? $ oc -n default env --list dc/router | grep ROUTER_CIPHERS Maybe you need to set it to `old` in order to support sha1. -- Mateus Caruccio / Master of Puppets GetupCloud.com We make the infrastructure invisible Gartner Cool Vendor 2017 2017-11-17 10:42 GMT-02:00 Marcello Lorenzi: > Hi Mateus, > this is the output reported: > > > # Prevent vulnerability to POODLE attacks > ssl-default-bind-options no-sslv3 > > # The default cipher suite can be selected from the three sets recommended > by https://wiki.mozilla.org/Security/Server_Side_TLS, > # or the user can provide one using the ROUTER_CIPHERS environment > variable. > # By default when a cipher set is not provided, intermediate is used. > {{- if eq (env "ROUTER_CIPHERS" "intermediate") "modern" }} > # Modern cipher suite (no legacy browser support) from > https://wiki.mozilla.org/Security/Server_Side_TLS > tune.ssl.default-dh-param 2048 > ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384: > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305: > ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384: > ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 > {{ else }} > > {{- if eq (env "ROUTER_CIPHERS" "intermediate") "intermediate" }} > # Intermediate cipher suite (default) from https://wiki.mozilla.org/ > Security/Server_Side_TLS > tune.ssl.default-dh-param 2048 > ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305: > ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384: > ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE- > RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA- > AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256- > SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384: > ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128- > SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA- > AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3- > SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM- > SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS > {{ else }} > > {{- if eq (env "ROUTER_CIPHERS" "intermediate") "old" }} > > # Old cipher suite (maximum compatibility but insecure) from > https://wiki.mozilla.org/Security/Server_Side_TLS > tune.ssl.default-dh-param 1024 > ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305: > ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256: > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384: > ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE- > DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128- > SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA: > ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- > AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256- > SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128- > SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA- > AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA: > EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384: > AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES- > CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:! > PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP > > {{- else }} > # user provided list of ciphers (Colon separated list as seen above) > # the env default is not used here since we can't get here with empty > ROUTER_CIPHERS > tune.ssl.default-dh-param 2048 > ssl-default-bind-ciphers {{env "ROUTER_CIPHERS" "ECDHE-ECDSA-CHACHA20- > POLY1305"}} > {{- end }} > {{- end }} > {{- end }} > > defaults > maxconn {{env "ROUTER_MAX_CONNECTIONS" "2"}} > > # Add x-forwarded-for header. > {{- if ne (env "ROUTER_SYSLOG_ADDRESS" "") "" }} > {{- if ne (env "ROUTER_SYSLOG_FORMAT" "") "" }} > > Marcello > > On Fri, Nov 17, 2017 at 1:36 PM, Mateus Caruccio < > mateus.caruc...@getupcloud.com> wrote: > >> Hey Marcello. >> >> Correct me if I'm wrong, but you could look into haproxy's config and set >> all ciphers you need: >> >> $ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers >> haproxy-config.template >> >> There is this env var `ROUTER_CIPHERS` you can choose standard profiles >> (modern|intermediate|old) or define your own list. >> >> Hope this help. >> >> Mateus >> >> >> -- >> Mateus Caruccio / Master of Puppets >> GetupCloud.com >> We make the infrastructure invisible >> Gartner Cool Vendor 2017 >> >> 2017-11-17 10:28 GMT-02:00 Marcello Lorenzi : >> >>> Hi All, >>> we tried to configure a new route on Openshift Origin 3.6 to expose a >>> pod where the SSL termination is enabled. We have a problem to configure a >>> re-encrypt route because we noticed that the application is not present on >>> the router and after some investigation we discovered that the problem is >>> related to pod
Re: Openshift router certificate chain
Hi Mateus, this is the output reported: # Prevent vulnerability to POODLE attacks ssl-default-bind-options no-sslv3 # The default cipher suite can be selected from the three sets recommended by https://wiki.mozilla.org/Security/Server_Side_TLS, # or the user can provide one using the ROUTER_CIPHERS environment variable. # By default when a cipher set is not provided, intermediate is used. {{- if eq (env "ROUTER_CIPHERS" "intermediate") "modern" }} # Modern cipher suite (no legacy browser support) from https://wiki.mozilla.org/Security/Server_Side_TLS tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 {{ else }} {{- if eq (env "ROUTER_CIPHERS" "intermediate") "intermediate" }} # Intermediate cipher suite (default) from https://wiki.mozilla.org/Security/Server_Side_TLS tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS {{ else }} {{- if eq (env "ROUTER_CIPHERS" "intermediate") "old" }} # Old cipher suite (maximum compatibility but insecure) from https://wiki.mozilla.org/Security/Server_Side_TLS tune.ssl.default-dh-param 1024 ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP {{- else }} # user provided list of ciphers (Colon separated list as seen above) # the env default is not used here since we can't get here with empty ROUTER_CIPHERS tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers {{env "ROUTER_CIPHERS" "ECDHE-ECDSA-CHACHA20-POLY1305"}} {{- end }} {{- end }} {{- end }} defaults maxconn {{env "ROUTER_MAX_CONNECTIONS" "2"}} # Add x-forwarded-for header. {{- if ne (env "ROUTER_SYSLOG_ADDRESS" "") "" }} {{- if ne (env "ROUTER_SYSLOG_FORMAT" "") "" }} Marcello On Fri, Nov 17, 2017 at 1:36 PM, Mateus Caruccio < mateus.caruc...@getupcloud.com> wrote: > Hey Marcello. > > Correct me if I'm wrong, but you could look into haproxy's config and set > all ciphers you need: > > $ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers > haproxy-config.template > > There is this env var `ROUTER_CIPHERS` you can choose standard profiles > (modern|intermediate|old) or define your own list. > > Hope this help. > > Mateus > > > -- > Mateus Caruccio / Master of Puppets > GetupCloud.com > We make the infrastructure invisible > Gartner Cool Vendor 2017 > > 2017-11-17 10:28 GMT-02:00 Marcello Lorenzi: > >> Hi All, >> we tried to configure a new route on Openshift Origin 3.6 to expose a pod >> where the SSL termination is enabled. We have a problem to configure a >> re-encrypt route because we noticed that the application is not present on >> the router and after some investigation we discovered that the problem is >> related to pod certificate chain. The chain is formed by: >> >> - root certificate sha1 >> - intermediate certificate sha256 >> - server certificate sha256 >> >> We have update the root certificate to sha256 and all works fine. >> >> Could you confirm if the Openshift router doesn't support the sha1 >> certificate? >> >> Thanks, >> Marcello >> >> ___ >> users mailing list >> users@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> > ___ users
Re: Openshift router certificate chain
Hey Marcello. Correct me if I'm wrong, but you could look into haproxy's config and set all ciphers you need: $ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers haproxy-config.template There is this env var `ROUTER_CIPHERS` you can choose standard profiles (modern|intermediate|old) or define your own list. Hope this help. Mateus -- Mateus Caruccio / Master of Puppets GetupCloud.com We make the infrastructure invisible Gartner Cool Vendor 2017 2017-11-17 10:28 GMT-02:00 Marcello Lorenzi: > Hi All, > we tried to configure a new route on Openshift Origin 3.6 to expose a pod > where the SSL termination is enabled. We have a problem to configure a > re-encrypt route because we noticed that the application is not present on > the router and after some investigation we discovered that the problem is > related to pod certificate chain. The chain is formed by: > > - root certificate sha1 > - intermediate certificate sha256 > - server certificate sha256 > > We have update the root certificate to sha256 and all works fine. > > Could you confirm if the Openshift router doesn't support the sha1 > certificate? > > Thanks, > Marcello > > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Openshift router certificate chain
Hi All, we tried to configure a new route on Openshift Origin 3.6 to expose a pod where the SSL termination is enabled. We have a problem to configure a re-encrypt route because we noticed that the application is not present on the router and after some investigation we discovered that the problem is related to pod certificate chain. The chain is formed by: - root certificate sha1 - intermediate certificate sha256 - server certificate sha256 We have update the root certificate to sha256 and all works fine. Could you confirm if the Openshift router doesn't support the sha1 certificate? Thanks, Marcello ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users