Sha1 may not even be in “old” (because I believe it’s now considered broken. If you need it, you’ll have to edit the router template with that cipher.
On Nov 17, 2017, at 7:49 AM, Mateus Caruccio <[email protected]> wrote: What is the value of `ROUTER_CIPHERS`? $ oc -n default env --list dc/router | grep ROUTER_CIPHERS Maybe you need to set it to `old` in order to support sha1. -- Mateus Caruccio / Master of Puppets GetupCloud.com We make the infrastructure invisible Gartner Cool Vendor 2017 2017-11-17 10:42 GMT-02:00 Marcello Lorenzi <[email protected]>: > Hi Mateus, > this is the output reported: > > > # Prevent vulnerability to POODLE attacks > ssl-default-bind-options no-sslv3 > > # The default cipher suite can be selected from the three sets recommended > by https://wiki.mozilla.org/Security/Server_Side_TLS, > # or the user can provide one using the ROUTER_CIPHERS environment > variable. > # By default when a cipher set is not provided, intermediate is used. > {{- if eq (env "ROUTER_CIPHERS" "intermediate") "modern" }} > # Modern cipher suite (no legacy browser support) from > https://wiki.mozilla.org/Security/Server_Side_TLS > tune.ssl.default-dh-param 2048 > ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384: > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305: > ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384: > ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 > {{ else }} > > {{- if eq (env "ROUTER_CIPHERS" "intermediate") "intermediate" }} > # Intermediate cipher suite (default) from https://wiki.mozilla.org/ > Security/Server_Side_TLS > tune.ssl.default-dh-param 2048 > ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305: > ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384: > ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE- > RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA- > AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256- > SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384: > ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128- > SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA- > AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3- > SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM- > SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS > {{ else }} > > {{- if eq (env "ROUTER_CIPHERS" "intermediate") "old" }} > > # Old cipher suite (maximum compatibility but insecure) from > https://wiki.mozilla.org/Security/Server_Side_TLS > tune.ssl.default-dh-param 1024 > ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305: > ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256: > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384: > ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE- > DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128- > SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA: > ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- > AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256- > SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128- > SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA- > AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA: > EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384: > AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES- > CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:! > PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP > > {{- else }} > # user provided list of ciphers (Colon separated list as seen above) > # the env default is not used here since we can't get here with empty > ROUTER_CIPHERS > tune.ssl.default-dh-param 2048 > ssl-default-bind-ciphers {{env "ROUTER_CIPHERS" "ECDHE-ECDSA-CHACHA20- > POLY1305"}} > {{- end }} > {{- end }} > {{- end }} > > defaults > maxconn {{env "ROUTER_MAX_CONNECTIONS" "20000"}} > > # Add x-forwarded-for header. > {{- if ne (env "ROUTER_SYSLOG_ADDRESS" "") "" }} > {{- if ne (env "ROUTER_SYSLOG_FORMAT" "") "" }} > > Marcello > > On Fri, Nov 17, 2017 at 1:36 PM, Mateus Caruccio < > [email protected]> wrote: > >> Hey Marcello. >> >> Correct me if I'm wrong, but you could look into haproxy's config and set >> all ciphers you need: >> >> $ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers >> haproxy-config.template >> >> There is this env var `ROUTER_CIPHERS` you can choose standard profiles >> (modern|intermediate|old) or define your own list. >> >> Hope this help. >> >> Mateus >> >> >> -- >> Mateus Caruccio / Master of Puppets >> GetupCloud.com >> We make the infrastructure invisible >> Gartner Cool Vendor 2017 >> >> 2017-11-17 10:28 GMT-02:00 Marcello Lorenzi <[email protected]>: >> >>> Hi All, >>> we tried to configure a new route on Openshift Origin 3.6 to expose a >>> pod where the SSL termination is enabled. We have a problem to configure a >>> re-encrypt route because we noticed that the application is not present on >>> the router and after some investigation we discovered that the problem is >>> related to pod certificate chain. The chain is formed by: >>> >>> - root certificate sha1 >>> - intermediate certificate sha256 >>> - server certificate sha256 >>> >>> We have update the root certificate to sha256 and all works fine. >>> >>> Could you confirm if the Openshift router doesn't support the sha1 >>> certificate? >>> >>> Thanks, >>> Marcello >>> >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >>> >> > _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
