Hi All, the parameter is empty. [root@dev-openshift01 ~]# oc -n default env --list dc/router | grep ROUTER_CIPHERS ROUTER_CIPHERS=
Marcello On Fri, Nov 17, 2017 at 3:22 PM, Clayton Coleman <[email protected]> wrote: > Sha1 may not even be in “old” (because I believe it’s now considered > broken. If you need it, you’ll have to edit the router template with that > cipher. > > On Nov 17, 2017, at 7:49 AM, Mateus Caruccio <mateus.caruccio@getupcloud. > com> wrote: > > What is the value of `ROUTER_CIPHERS`? > > $ oc -n default env --list dc/router | grep ROUTER_CIPHERS > > Maybe you need to set it to `old` in order to support sha1. > > > > -- > Mateus Caruccio / Master of Puppets > GetupCloud.com > We make the infrastructure invisible > Gartner Cool Vendor 2017 > > 2017-11-17 10:42 GMT-02:00 Marcello Lorenzi <[email protected]>: > >> Hi Mateus, >> this is the output reported: >> >> >> # Prevent vulnerability to POODLE attacks >> ssl-default-bind-options no-sslv3 >> >> # The default cipher suite can be selected from the three sets >> recommended by https://wiki.mozilla.org/Security/Server_Side_TLS, >> # or the user can provide one using the ROUTER_CIPHERS environment >> variable. >> # By default when a cipher set is not provided, intermediate is used. >> {{- if eq (env "ROUTER_CIPHERS" "intermediate") "modern" }} >> # Modern cipher suite (no legacy browser support) from >> https://wiki.mozilla.org/Security/Server_Side_TLS >> tune.ssl.default-dh-param 2048 >> ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384: >> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:EC >> DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDH >> E-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- >> AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 >> {{ else }} >> >> {{- if eq (env "ROUTER_CIPHERS" "intermediate") "intermediate" }} >> # Intermediate cipher suite (default) from >> https://wiki.mozilla.org/Security/Server_Side_TLS >> tune.ssl.default-dh-param 2048 >> ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305: >> ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:EC >> DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH >> E-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA- >> AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128 >> -SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384: >> ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE- >> ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA2 >> 56:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256- >> SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH- >> RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384: >> AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS >> {{ else }} >> >> {{- if eq (env "ROUTER_CIPHERS" "intermediate") "old" }} >> >> # Old cipher suite (maximum compatibility but insecure) from >> https://wiki.mozilla.org/Security/Server_Side_TLS >> tune.ssl.default-dh-param 1024 >> ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305: >> ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDH >> E-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- >> ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS- >> AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE- >> ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128- >> SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384: >> ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA- >> AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE- >> RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA: >> ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA- >> DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12 >> 8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3- >> SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:! >> RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP >> >> {{- else }} >> # user provided list of ciphers (Colon separated list as seen above) >> # the env default is not used here since we can't get here with empty >> ROUTER_CIPHERS >> tune.ssl.default-dh-param 2048 >> ssl-default-bind-ciphers {{env "ROUTER_CIPHERS" >> "ECDHE-ECDSA-CHACHA20-POLY1305"}} >> {{- end }} >> {{- end }} >> {{- end }} >> >> defaults >> maxconn {{env "ROUTER_MAX_CONNECTIONS" "20000"}} >> >> # Add x-forwarded-for header. >> {{- if ne (env "ROUTER_SYSLOG_ADDRESS" "") "" }} >> {{- if ne (env "ROUTER_SYSLOG_FORMAT" "") "" }} >> >> Marcello >> >> On Fri, Nov 17, 2017 at 1:36 PM, Mateus Caruccio < >> [email protected]> wrote: >> >>> Hey Marcello. >>> >>> Correct me if I'm wrong, but you could look into haproxy's config and >>> set all ciphers you need: >>> >>> $ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers >>> haproxy-config.template >>> >>> There is this env var `ROUTER_CIPHERS` you can choose standard profiles >>> (modern|intermediate|old) or define your own list. >>> >>> Hope this help. >>> >>> Mateus >>> >>> >>> -- >>> Mateus Caruccio / Master of Puppets >>> GetupCloud.com >>> We make the infrastructure invisible >>> Gartner Cool Vendor 2017 >>> >>> 2017-11-17 10:28 GMT-02:00 Marcello Lorenzi <[email protected]>: >>> >>>> Hi All, >>>> we tried to configure a new route on Openshift Origin 3.6 to expose a >>>> pod where the SSL termination is enabled. We have a problem to configure a >>>> re-encrypt route because we noticed that the application is not present on >>>> the router and after some investigation we discovered that the problem is >>>> related to pod certificate chain. The chain is formed by: >>>> >>>> - root certificate sha1 >>>> - intermediate certificate sha256 >>>> - server certificate sha256 >>>> >>>> We have update the root certificate to sha256 and all works fine. >>>> >>>> Could you confirm if the Openshift router doesn't support the sha1 >>>> certificate? >>>> >>>> Thanks, >>>> Marcello >>>> >>>> _______________________________________________ >>>> users mailing list >>>> [email protected] >>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>> >>>> >>> >> > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
