NE-472:Add tlsv1.3 support #617

miheer · 2021-05-19T02:31:58Z

Delete filterTLS13Ciphers and simplify
Simplify the logic in validateTLSSecurityProfile so that filterTLS13Ciphers
is no longer needed, and delete the superfluous function definition.

pkg/operator/controller/ingress/controller.go
(validateTLSSecurityProfile): Simplify TLSv1.3 ciphers check.
(filterTLS13Ciphers): Delete function.

Allow TLSv1.3 and the "Modern" TLS profile

OpenShift 4.6 is built using UBI 8, which has OpenSSL 1.1.1, which supports
TLSv1.3, so allow specifying spec.tlsSecurityProfile.type: Modern or
spec.tlsSecurityProfile.custom.minTLSVersion: VersionTLS13.

pkg/operator/controller/ingress/controller.go
tlsProfileSpecForSecurityProfile): Allow use of the "Modern" profile.
(validTLSVersions): Add configv1.VersionTLS13.
(validateTLSSecurityProfile): Verify that some non-TLSv1.3 cipher is
specified if minTLSVersion is a version below TLSv1.3, and verify that some
TLSv1.3 cipher is specified if minTLSVersion is TLSv1.3.
pkg/operator/controller/ingress/controller_test.go
(TestTLSProfileSpecForSecurityProfile)
(TestTLSProfileSpecForIngressController): Verify that the "Modern" profile
is used if it is specified.
pkg/operator/controller/ingress/deployment.go (desiredRouterDeployment):
Allow TLSv1.3. Set ROUTER_CIPHERS based on the non-TLSv1.3 ciphers in the
ingresscontroller's TLS profile, and set ROUTER_CIPHERSUITES based on the
TLSv1.3 ciphers.
(inferTLSProfileSpecFromDeployment): Allow TLSv1.3.
pkg/operator/controller/ingress/deployment_test.go
(TestDesiredRouterDeployment): Verify that SSL_MIN_VERSION is set to
TLSv1.3 if TLSv1.3 was specified on the ingresscontroller. Verify that
ROUTER_CIPHERSUITES is set if the TLS profile specifies any TLSv1.3
ciphers, and verify that ROUTER_CIPHERSUITES has TLSv1.3 ciphers and
ROUTER_CIPHERS has other ciphers.
(TestInferTLSProfileSpecFromDeployment): Add test cases for
SSL_MIN_VERSION=TLSv1.2 and for SSL_MIN_VERSION=TLSv1.3.

Simplify the logic in validateTLSSecurityProfile so that filterTLS13Ciphers is no longer needed, and delete the superfluous function definition. * pkg/operator/controller/ingress/controller.go (validateTLSSecurityProfile): Simplify TLSv1.3 ciphers check. (filterTLS13Ciphers): Delete function.

miheer · 2021-05-19T05:02:10Z

tests are working fine
1.
[miheer@localhost cluster-ingress-operator]$ oc edit ingresscontrollers -n openshift-ingress-operator

Add Modern in tlsSecurityProfile

apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  creationTimestamp: "2021-05-19T03:32:18Z"
  finalizers:
  - ingresscontroller.operator.openshift.io/finalizer-ingresscontroller
  generation: 2
  name: default
  namespace: openshift-ingress-operator
  resourceVersion: "47942"
  uid: d40a45cf-b283-4920-ba49-fd0b4690092d
spec:
  httpErrorCodePages:
    name: ""
  replicas: 2
  tlsSecurityProfile:
    type: Modern
  tuningOptions: {}

Lets the routers spin up

[miheer@localhost cluster-ingress-operator]$ oc get pods -n openshift-ingress
NAME                              READY   STATUS    RESTARTS   AGE
router-default-6fd669d679-mhxbp   1/1     Running   0          11m
router-default-6fd669d679-vp5hx   1/1     Running   0          11m

Check the haproxy config file ->

[miheer@localhost cluster-ingress-operator]$ oc -n openshift-ingress rsh router-default-6fd669d679-mhxbp cat haproxy.config | grep ssl-default-bind-ciphersuites
 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
[miheer@localhost cluster-ingress-operator]$ 
[miheer@localhost cluster-ingress-operator]$ 

[miheer@localhost cluster-ingress-operator]$ oc -n openshift-ingress rsh router-default-6fd669d679-vp5hx  cat haproxy.config | grep ssl-default-bind-ciphersuites
 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Check if ciphers are working.

[miheer@localhost cluster-ingress-operator]$ oc get svc -n openshift-ingress
NAME                      TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                      AGE
router-default            LoadBalancer   172.30.71.96    35.196.179.66   80:32320/TCP,443:30342/TCP   65m
router-internal-default   ClusterIP      172.30.14.170   <none>          80/TCP,443/TCP,1936/TCP      65m

Openssl to the external IP with tlsv1.3 ciphers https://github.com/openshift/api/blob/master/config/v1/types_tlssecurityprofile.go#L254-L262

A)

[miheer@localhost cluster-ingress-operator]$ openssl s_client -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -connect  35.196.179.66:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = ingress-operator@1621395138
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 CN = ingress-operator@1621395138
verify return:1
depth=0 CN = *.apps.ci-ln-9f6jy6k-f76d1.origin-ci-int-gce.dev.openshift.com
verify return:1
---
Certificate chain
 0 s:CN = *.apps.ci-ln-9f6jy6k-f76d1.origin-ci-int-gce.dev.openshift.com
   i:CN = ingress-operator@1621395138
 1 s:CN = ingress-operator@1621395138
   i:CN = ingress-operator@1621395138
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIIBwtzejkvlpAwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE
AwwbaW5ncmVzcy1vcGVyYXRvckAxNjIxMzk1MTM4MB4XDTIxMDUxOTAzMzUxMloX
DTIzMDUxOTAzMzUxM1owSTFHMEUGA1UEAww+Ki5hcHBzLmNpLWxuLTlmNmp5Nmst
Zjc2ZDEub3JpZ2luLWNpLWludC1nY2UuZGV2Lm9wZW5zaGlmdC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoF9Rts1RFK+5WmJdueqAf09S3V2n/
pJ/9Z4JtcGJVVdp8jOL0EaPic7unjSRiLcebh/L4A2Jf1GxQosLbC/S2MdBIcPma
95vNRZACy6leXxoJTUllHrlCzrKGyfUPM5cWTTGgHZPbhXKzCnc03+LDPrnpPhgo
0jmbMjg1DFPYCz74INe91o+GRSNOHxiwM1YhHZ4OWIEFUucStWTMvHqxKu8HVbvN
SO5cDfsVFL7chMMFqNeWhGqregZ2FLlEGALW77TM7dO+BkiH9LlTz0uLy0BnnU7l
unRDY+eumvPOXqgHBBJ5m1w44hWetTDXSQyXT+1gTnJgR0gaC6n67Jl1AgMBAAGj
gcEwgb4wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFJEYijiDJmU+6ys9FBqqj8e1BKYRMB8GA1UdIwQY
MBaAFMEFNsndjGMkqu/QqgGxaIlWMG9qMEkGA1UdEQRCMECCPiouYXBwcy5jaS1s
bi05ZjZqeTZrLWY3NmQxLm9yaWdpbi1jaS1pbnQtZ2NlLmRldi5vcGVuc2hpZnQu
Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQCHunXYyMZP8pG+mT1zOqOlCYxmD9cmpQ0e
HooVRb6GN986Y0emi79UgyWdAXu/iD0YLGPk8e0o/njGdDrEdHrVV1LwcpbYU8zX
2HbPGjiPzSbeoXUhLD+lUFGvS2Et4FYHWzr2y5gPGFDJwfIre5YqMdhKu6aqWQw1
plOrnbsJSa7fQlf4tiTPHwXQ7o0lq4P/uHL+cl4YKwwJQFDnfF/+ldGjEEhCy6sn
CTvmDInaorASJfXlQYyENdmCrLIinsv/jHB5xt2qzA4AAfpsUmYzMwrnt4d82IvX
cwGU/4458Xf6/HdPOp2vt9OOfuUVOru3hRzaPwJL9xM5c4kNNVTk
-----END CERTIFICATE-----
subject=CN = *.apps.ci-ln-9f6jy6k-f76d1.origin-ci-int-gce.dev.openshift.com

issuer=CN = ingress-operator@1621395138

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2280 bytes and written 351 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID: A055B45E6C0D597E6A7A95BE8239D2420178A6878A815182082070198824F216
    Session-ID-ctx: 
    Resumption PSK: 8D1092A6114CAA29B730F1C98BC0504C5CC7F11E3DC9323DA37893968A77C904
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - da cf 4c 15 21 94 a6 f5-71 d8 da dd bf 79 6f e2   ..L.!...q....yo.
    0010 - 25 46 cb f1 ae 25 ff f5-ca 2a 63 d6 35 ce 3a 9a   %F...%...*c.5.:.
    0020 - 9a f5 3b d9 b2 81 b1 b5-07 1f 1f 94 c0 f6 ec 81   ..;.............
    0030 - 10 08 46 81 22 be 44 40-b2 4c 42 87 6a e4 ce 1a   ..F.".D@.LB.j...
    0040 - 80 10 05 df b2 2a aa e7-46 29 e7 2b 6b f6 59 b4   .....*..F).+k.Y.
    0050 - e6 ab 01 d1 8e d5 7e 60-cb 31 db 45 75 3a 7d 95   ......~`.1.Eu:}.
    0060 - 26 d2 e8 e7 d9 d9 41 f8-be c4 c2 30 88 97 bf 0e   &.....A....0....
    0070 - 6b ea 37 c5 e8 3f 90 30-e8 a4 54 93 77 89 62 a7   k.7..?.0..T.w.b.
    0080 - ad ea ca f3 0a ca 65 5e-71 5d 04 78 fb cc a4 a5   ......e^q].x....
    0090 - 98 dc 73 d9 70 ca 0c 64-4a e3 16 33 4b d6 7a ac   ..s.p..dJ..3K.z.
    00a0 - 8e e4 57 2e 09 92 69 c0-97 f5 9a 14 e0 07 df 5c   ..W...i........\
    00b0 - 5f 3b c9 ca fb be 43 a0-7f 3d d4 21 d5 fc ac 19   _;....C..=.!....

    Start Time: 1621399953
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID: 03E5C4E58668FF1A788E36F476538758224F2DD04C2DFC24C0896FC8F68A3C1A
    Session-ID-ctx: 
    Resumption PSK: 6525FF4F274AB1011F5B8074D272711DB8A3B1068DFEBC51A549C40A420A0B81
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - da cf 4c 15 21 94 a6 f5-71 d8 da dd bf 79 6f e2   ..L.!...q....yo.
    0010 - 7a 1e 26 a1 da 29 4e 1d-76 a0 bd 2f 0e c0 85 81   z.&..)N.v../....
    0020 - 03 3a 78 e5 16 86 9b a9-19 70 d0 fc 30 df 28 36   .:x......p..0.(6
    0030 - 13 eb f9 d8 0c 40 5c f1-e4 03 4e 8b 7e e6 38 01   .....@\...N.~.8.
    0040 - 58 ed af cb 1a 72 28 f5-36 89 0a 8a 6c c9 4d 02   X....r(.6...l.M.
    0050 - 19 e3 2f d1 38 ad 99 13-e5 66 00 0f e9 de e2 87   ../.8....f......
    0060 - 18 95 82 e6 26 2f 25 40-8e 3c cf 4d ef 3d 89 e3   ....&/%@.<.M.=..
    0070 - f6 46 44 4e 82 27 f7 64-af eb f5 d2 c0 3d 2b b8   .FDN.'.d.....=+.
    0080 - e2 c2 84 2b bf 64 65 d2-f3 f9 fd 7a c7 22 26 f5   ...+.de....z."&.
    0090 - c2 3d a5 ee 37 f9 42 8f-74 f4 72 ac 68 3d e6 f0   .=..7.B.t.r.h=..
    00a0 - 32 d2 6b a8 fb b3 ba bd-b5 97 8f ab 1a 8d 2e 3e   2.k............>
    00b0 - 57 2e 92 1c 88 93 1a 26-f5 27 62 08 5a b0 ba 81   W......&.'b.Z...

    Start Time: 1621399953
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
^C
[miheer@localhost cluster-ingress-operator]$

B)

[miheer@localhost cluster-ingress-operator]$ 
[miheer@localhost cluster-ingress-operator]$ openssl s_client -ciphersuites TLS_AES_256_GCM_SHA384 -connect  35.196.179.66:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = ingress-operator@1621395138
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 CN = ingress-operator@1621395138
verify return:1
depth=0 CN = *.apps.ci-ln-9f6jy6k-f76d1.origin-ci-int-gce.dev.openshift.com
verify return:1
---
Certificate chain
 0 s:CN = *.apps.ci-ln-9f6jy6k-f76d1.origin-ci-int-gce.dev.openshift.com
   i:CN = ingress-operator@1621395138
 1 s:CN = ingress-operator@1621395138
   i:CN = ingress-operator@1621395138
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIIBwtzejkvlpAwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE
AwwbaW5ncmVzcy1vcGVyYXRvckAxNjIxMzk1MTM4MB4XDTIxMDUxOTAzMzUxMloX
DTIzMDUxOTAzMzUxM1owSTFHMEUGA1UEAww+Ki5hcHBzLmNpLWxuLTlmNmp5Nmst
Zjc2ZDEub3JpZ2luLWNpLWludC1nY2UuZGV2Lm9wZW5zaGlmdC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoF9Rts1RFK+5WmJdueqAf09S3V2n/
pJ/9Z4JtcGJVVdp8jOL0EaPic7unjSRiLcebh/L4A2Jf1GxQosLbC/S2MdBIcPma
95vNRZACy6leXxoJTUllHrlCzrKGyfUPM5cWTTGgHZPbhXKzCnc03+LDPrnpPhgo
0jmbMjg1DFPYCz74INe91o+GRSNOHxiwM1YhHZ4OWIEFUucStWTMvHqxKu8HVbvN
SO5cDfsVFL7chMMFqNeWhGqregZ2FLlEGALW77TM7dO+BkiH9LlTz0uLy0BnnU7l
unRDY+eumvPOXqgHBBJ5m1w44hWetTDXSQyXT+1gTnJgR0gaC6n67Jl1AgMBAAGj
gcEwgb4wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFJEYijiDJmU+6ys9FBqqj8e1BKYRMB8GA1UdIwQY
MBaAFMEFNsndjGMkqu/QqgGxaIlWMG9qMEkGA1UdEQRCMECCPiouYXBwcy5jaS1s
bi05ZjZqeTZrLWY3NmQxLm9yaWdpbi1jaS1pbnQtZ2NlLmRldi5vcGVuc2hpZnQu
Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQCHunXYyMZP8pG+mT1zOqOlCYxmD9cmpQ0e
HooVRb6GN986Y0emi79UgyWdAXu/iD0YLGPk8e0o/njGdDrEdHrVV1LwcpbYU8zX
2HbPGjiPzSbeoXUhLD+lUFGvS2Et4FYHWzr2y5gPGFDJwfIre5YqMdhKu6aqWQw1
plOrnbsJSa7fQlf4tiTPHwXQ7o0lq4P/uHL+cl4YKwwJQFDnfF/+ldGjEEhCy6sn
CTvmDInaorASJfXlQYyENdmCrLIinsv/jHB5xt2qzA4AAfpsUmYzMwrnt4d82IvX
cwGU/4458Xf6/HdPOp2vt9OOfuUVOru3hRzaPwJL9xM5c4kNNVTk
-----END CERTIFICATE-----
subject=CN = *.apps.ci-ln-9f6jy6k-f76d1.origin-ci-int-gce.dev.openshift.com

issuer=CN = ingress-operator@1621395138

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2296 bytes and written 367 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 3FFE080385370DB3E805EC57EF64DECC118175D9F3F005F41FBAF7AE9C100D44
    Session-ID-ctx: 
    Resumption PSK: C7264E2C25040D684C55AE8D1FEF26078CA1D10C88BE35A2D5AD50046FAE80DBC1EF4A362258B5B3257AF524853DE402
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 37 6b 3d 61 41 e4 8d 34-7f c2 8f 57 fe e2 08 d9   7k=aA..4...W....
    0010 - 68 e4 8f 06 e9 2e a0 04-3a 31 a5 96 b0 5b 62 b3   h.......:1...[b.
    0020 - 4d f0 ab 47 08 96 62 22-a9 7c ac de d6 dc 9f d7   M..G..b".|......
    0030 - f5 e3 1d c9 25 7c c4 ea-cd 8a 17 43 04 af ea f3   ....%|.....C....
    0040 - 44 60 b3 c2 aa 85 85 57-89 9a f6 03 4a 69 71 45   D`.....W....JiqE
    0050 - ea 96 ec 98 48 0a ca ee-ba 04 d3 23 e6 b9 ed c7   ....H......#....
    0060 - 79 7a 30 98 ee be 1c 96-7c 56 f6 88 06 a8 64 6f   yz0.....|V....do
    0070 - eb f3 1d ec 45 b8 9e bb-f6 64 21 bf d9 2c 8c 75   ....E....d!..,.u
    0080 - 60 1b 73 cb 6f 7f d1 d3-85 e0 55 bb b8 82 12 a7   `.s.o.....U.....
    0090 - fd 28 ac d9 b7 a4 9a bc-e5 c7 d9 88 cf ae 4b 6a   .(............Kj
    00a0 - 36 8d 04 2b 56 a2 94 10-83 fb ce b1 dc ab e7 ea   6..+V...........
    00b0 - 1a fb 36 73 99 be 7c d8-82 fa ad c0 d6 a1 b4 47   ..6s..|........G
    00c0 - be f5 d1 7a 40 28 f3 d0-3e 29 c6 29 b8 84 68 f4   ...z@(..>).)..h.

    Start Time: 1621400394
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 44ED1C7C087D83BAC690D1D6206FB373C53A85DE6905DFE52445AA663ED6FCE1
    Session-ID-ctx: 
    Resumption PSK: F53D0C4ABC1480091B15982436507C0C705DA2212F36B801192A07798560B97B20A1E41790FEF449FB4D74715D28C40C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 37 6b 3d 61 41 e4 8d 34-7f c2 8f 57 fe e2 08 d9   7k=aA..4...W....
    0010 - f8 fa 79 4a 6a 8c 35 0c-31 7c 56 0a e2 3f 54 e1   ..yJj.5.1|V..?T.
    0020 - 2f e2 3c b6 a1 d5 60 f3-23 24 3b cf 72 ce a8 8f   /.<...`.#$;.r...
    0030 - 8a f8 bc 94 59 e7 2f 48-80 82 3b b2 26 00 e4 20   ....Y./H..;.&.. 
    0040 - 71 d1 bb 7e ea 8d 5a 84-8a dd eb f0 f5 38 7d 71   q..~..Z......8}q
    0050 - ed 23 15 0a 45 f9 72 dc-70 c6 10 47 92 02 33 85   .#..E.r.p..G..3.
    0060 - 8b af a8 5c 4a 24 28 4e-cb e8 f7 45 1c 17 b8 1e   ...\J$(N...E....
    0070 - ef 92 40 4f 31 9a 60 4c-b8 71 89 62 bb 2b ba 8b   ..@O1.`L.q.b.+..
    0080 - 03 74 71 02 b4 7e 09 29-20 a6 39 82 78 ca 3e e7   .tq..~.) .9.x.>.
    0090 - 0f 21 52 a1 72 77 96 98-b1 c5 17 6b 58 8c 5b 6c   .!R.rw.....kX.[l
    00a0 - c7 cc 41 3c ea b9 28 8a-2c 87 c9 04 70 54 9a ec   ..A<..(.,...pT..
    00b0 - 0c ea 9b 95 56 1e fd df-8d dd 1c fb bf fc ab 3b   ....V..........;
    00c0 - d5 3a 1e d0 2c f4 00 3e-b2 1e 42 f6 6c f2 13 c8   .:..,..>..B.l...

    Start Time: 1621400394
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
HTTP/1.1 408 Request Time-out
content-length: 110
cache-control: no-cache
content-type: text/html
connection: close

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed
[miheer@localhost cluster-ingress-operator]$

C)

[miheer@localhost cluster-ingress-operator]$ openssl s_client -ciphersuites TLS_AES_128_GCM_SHA256 -connect  35.196.179.66:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = ingress-operator@1621395138
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 CN = ingress-operator@1621395138
verify return:1
depth=0 CN = *.apps.ci-ln-9f6jy6k-f76d1.origin-ci-int-gce.dev.openshift.com
verify return:1
---
Certificate chain
 0 s:CN = *.apps.ci-ln-9f6jy6k-f76d1.origin-ci-int-gce.dev.openshift.com
   i:CN = ingress-operator@1621395138
 1 s:CN = ingress-operator@1621395138
   i:CN = ingress-operator@1621395138
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIIBwtzejkvlpAwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE
AwwbaW5ncmVzcy1vcGVyYXRvckAxNjIxMzk1MTM4MB4XDTIxMDUxOTAzMzUxMloX
DTIzMDUxOTAzMzUxM1owSTFHMEUGA1UEAww+Ki5hcHBzLmNpLWxuLTlmNmp5Nmst
Zjc2ZDEub3JpZ2luLWNpLWludC1nY2UuZGV2Lm9wZW5zaGlmdC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoF9Rts1RFK+5WmJdueqAf09S3V2n/
pJ/9Z4JtcGJVVdp8jOL0EaPic7unjSRiLcebh/L4A2Jf1GxQosLbC/S2MdBIcPma
95vNRZACy6leXxoJTUllHrlCzrKGyfUPM5cWTTGgHZPbhXKzCnc03+LDPrnpPhgo
0jmbMjg1DFPYCz74INe91o+GRSNOHxiwM1YhHZ4OWIEFUucStWTMvHqxKu8HVbvN
SO5cDfsVFL7chMMFqNeWhGqregZ2FLlEGALW77TM7dO+BkiH9LlTz0uLy0BnnU7l
unRDY+eumvPOXqgHBBJ5m1w44hWetTDXSQyXT+1gTnJgR0gaC6n67Jl1AgMBAAGj
gcEwgb4wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFJEYijiDJmU+6ys9FBqqj8e1BKYRMB8GA1UdIwQY
MBaAFMEFNsndjGMkqu/QqgGxaIlWMG9qMEkGA1UdEQRCMECCPiouYXBwcy5jaS1s
bi05ZjZqeTZrLWY3NmQxLm9yaWdpbi1jaS1pbnQtZ2NlLmRldi5vcGVuc2hpZnQu
Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQCHunXYyMZP8pG+mT1zOqOlCYxmD9cmpQ0e
HooVRb6GN986Y0emi79UgyWdAXu/iD0YLGPk8e0o/njGdDrEdHrVV1LwcpbYU8zX
2HbPGjiPzSbeoXUhLD+lUFGvS2Et4FYHWzr2y5gPGFDJwfIre5YqMdhKu6aqWQw1
plOrnbsJSa7fQlf4tiTPHwXQ7o0lq4P/uHL+cl4YKwwJQFDnfF/+ldGjEEhCy6sn
CTvmDInaorASJfXlQYyENdmCrLIinsv/jHB5xt2qzA4AAfpsUmYzMwrnt4d82IvX
cwGU/4458Xf6/HdPOp2vt9OOfuUVOru3hRzaPwJL9xM5c4kNNVTk
-----END CERTIFICATE-----
subject=CN = *.apps.ci-ln-9f6jy6k-f76d1.origin-ci-int-gce.dev.openshift.com

issuer=CN = ingress-operator@1621395138

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2280 bytes and written 351 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: AFBCFA3B0EAD2B0BE5EB58B6D3C20FE889FB4B7A103CF60788709C36292FD47F
    Session-ID-ctx: 
    Resumption PSK: D9CA8469D4C7DB238542149B796E0E7E13872893E48D7B8BB09CC4354F2D3FED
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - da cf 4c 15 21 94 a6 f5-71 d8 da dd bf 79 6f e2   ..L.!...q....yo.
    0010 - 4f 02 c6 3f de 9e a2 bf-c7 2c eb b4 99 d6 bf a6   O..?.....,......
    0020 - df 6e 8a 2b b0 06 1f fa-5d 79 fd 85 23 e7 e5 cb   .n.+....]y..#...
    0030 - 8d 64 3e fa 3b 2d f5 5d-45 a3 8a ed ea 64 5e 16   .d>.;-.]E....d^.
    0040 - 1b dd 35 ec 71 1f 59 de-8f c5 da bd 04 30 c5 aa   ..5.q.Y......0..
    0050 - 2c 2e fc 9f 5e b8 50 0f-7e 85 86 9c ae fd a9 a8   ,...^.P.~.......
    0060 - b0 95 b7 7a 46 bf c8 0e-44 73 54 1e 5e bf 74 56   ...zF...DsT.^.tV
    0070 - d0 53 28 a6 eb c2 8b 51-75 52 e1 23 c1 f6 e5 57   .S(....QuR.#...W
    0080 - a8 5b b7 2e d8 89 dd 3e-b1 48 5f 3b af 5c 08 57   .[.....>.H_;.\.W
    0090 - 9f 39 95 71 57 61 10 50-62 81 fd f8 37 c8 5b b0   .9.qWa.Pb...7.[.
    00a0 - e9 46 5d b7 3b 31 91 3a-4d f2 2f bf 92 42 32 3c   .F].;1.:M./..B2<
    00b0 - ce 58 ab 84 a7 bc bd 83-aa 12 24 8e a8 21 52 da   .X........$..!R.

    Start Time: 1621400449
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 95BBDC9AF49B18DDC68D98876DB59EE7AB127C786736C4BBC2273012B6DAFF06
    Session-ID-ctx: 
    Resumption PSK: 547CD8123B4F84D1699865717896FAD68638B81C2E5A9FA53B7864CCE33559D5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - da cf 4c 15 21 94 a6 f5-71 d8 da dd bf 79 6f e2   ..L.!...q....yo.
    0010 - c8 f6 f8 ba e3 6b 45 27-b3 10 e8 57 63 c7 cd 27   .....kE'...Wc..'
    0020 - 1d ab be 65 58 dc 64 c7-7a 2a 1b 1e cc cf bd 9f   ...eX.d.z*......
    0030 - dc 8f 88 b3 95 24 f1 58-31 52 29 ca 71 93 1b a2   .....$.X1R).q...
    0040 - 78 7f c9 48 b6 ea 9c e6-68 3c 6b 7d f2 d1 b0 c9   x..H....h<k}....
    0050 - 25 0e b9 ce 7a 0e a4 b2-23 58 eb bd 33 b1 81 08   %...z...#X..3...
    0060 - 64 ee 7a ec 9a 71 82 ed-26 28 a2 f8 f0 2c 1e f4   d.z..q..&(...,..
    0070 - 58 28 92 c7 43 47 85 35-14 de 61 23 8c c0 01 ec   X(..CG.5..a#....
    0080 - f3 40 4b 4f 61 cf 94 34-d7 d2 25 f7 4d 5a a0 e9   .@KOa..4..%.MZ..
    0090 - ea de 05 db a3 a3 25 43-4c 53 0c e0 85 ad 5f a0   ......%CLS...._.
    00a0 - 2e 4f 30 64 1a cb 1a 8c-95 c5 a0 e4 d9 6f ae b7   .O0d.........o..
    00b0 - 78 87 7a b3 ad b5 55 5c-f6 b4 e7 3b e9 61 fc a9   x.z...U\...;.a..

    Start Time: 1621400449
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
HTTP/1.1 408 Request Time-out
content-length: 110
cache-control: no-cache
content-type: text/html
connection: close

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed
[miheer@localhost cluster-ingress-operator]$

miheer · 2021-05-19T05:06:32Z

@Miciah PTAL

miheer · 2021-06-20T02:19:35Z

/retest

miheer · 2021-06-20T10:44:00Z

/retest

miheer · 2021-06-21T07:25:53Z

/retest

miheer · 2021-06-21T15:50:32Z

/retest

Miciah · 2021-06-22T03:43:28Z

test/e2e/operator_test.go

+	sort.Strings(actualCiphers)
+	sort.Strings(expectedCiphers)
+
+	if !reflect.DeepEqual(actualCiphers, expectedCiphers) && !reflect.DeepEqual(intermediateProfileSpec.MinTLSVersion, ic.Status.TLSProfile.MinTLSVersion) {


Suggested change

if !reflect.DeepEqual(actualCiphers, expectedCiphers) && !reflect.DeepEqual(intermediateProfileSpec.MinTLSVersion, ic.Status.TLSProfile.MinTLSVersion) {

if !reflect.DeepEqual(actualCiphers, expectedCiphers) || !reflect.DeepEqual(intermediateProfileSpec.MinTLSVersion, ic.Status.TLSProfile.MinTLSVersion) {

OpenShift 4.6 is built using UBI 8, which has OpenSSL 1.1.1, which supports TLSv1.3, so allow specifying spec.tlsSecurityProfile.type: Modern or spec.tlsSecurityProfile.custom.minTLSVersion: VersionTLS13. * pkg/operator/controller/ingress/controller.go tlsProfileSpecForSecurityProfile): Allow use of the "Modern" profile. (validTLSVersions): Add configv1.VersionTLS13. (validateTLSSecurityProfile): Verify that some non-TLSv1.3 cipher is specified if minTLSVersion is a version below TLSv1.3, and verify that some TLSv1.3 cipher is specified if minTLSVersion is TLSv1.3. * pkg/operator/controller/ingress/controller_test.go (TestTLSProfileSpecForSecurityProfile) (TestTLSProfileSpecForIngressController): Verify that the "Modern" profile is used if it is specified. * pkg/operator/controller/ingress/deployment.go (desiredRouterDeployment): Allow TLSv1.3. Set ROUTER_CIPHERS based on the non-TLSv1.3 ciphers in the ingresscontroller's TLS profile, and set ROUTER_CIPHERSUITES based on the TLSv1.3 ciphers. (inferTLSProfileSpecFromDeployment): Allow TLSv1.3. * pkg/operator/controller/ingress/deployment_test.go (TestDesiredRouterDeployment): Verify that SSL_MIN_VERSION is set to TLSv1.3 if TLSv1.3 was specified on the ingresscontroller. Verify that ROUTER_CIPHERSUITES is set if the TLS profile specifies any TLSv1.3 ciphers, and verify that ROUTER_CIPHERSUITES has TLSv1.3 ciphers and ROUTER_CIPHERS has other ciphers. (TestInferTLSProfileSpecFromDeployment): Add test cases for SSL_MIN_VERSION=TLSv1.2 and for SSL_MIN_VERSION=TLSv1.3.

miheer · 2021-06-22T16:59:30Z

@sgreene570 can you please review ?

sgreene570 · 2021-06-22T17:46:29Z

/test e2e-aws-operator

sgreene570 · 2021-06-22T18:04:09Z

Thanks @Miciah & @miheer ! Looks good!

/lgtm

openshift-ci · 2021-06-22T18:05:31Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: miheer, sgreene570

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [sgreene570]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-bot · 2021-06-23T08:01:25Z

/retest