New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release-4.12] OCPBUGS-24571: Disable weak SSH cipher suites #2164
[release-4.12] OCPBUGS-24571: Disable weak SSH cipher suites #2164
Conversation
During an internal audit conducted by one of our customers in OCP, it was discovered that the openshift-sdn component, specifically on port 9101, has exposed certain cipher suites that are considered weak. We have identified the following weak ciphers that are currently being accepted: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - See [1] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - See [2] [1] https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256/ [2] https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256/ Reported-at: https://issues.redhat.com/browse/OCPBUGS-15201 Signed-off-by: Flavio Fernandes <flaviof@redhat.com> (cherry picked from commit 74029d4)
@flavio-fernandes: This pull request references Jira Issue OCPBUGS-24571, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest-required |
1 similar comment
/retest-required |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: danwinship, flavio-fernandes The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required |
@flavio-fernandes: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required |
/label cherry-pick-approved |
/jira refresh |
@flavio-fernandes: This pull request references Jira Issue OCPBUGS-24571, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/label backport-risk-assessed |
/jira refresh |
1 similar comment
/jira refresh |
@zhaozhanqi: This pull request references Jira Issue OCPBUGS-24571, which is valid. 6 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/jira refresh |
@flavio-fernandes: This pull request references Jira Issue OCPBUGS-24571, which is valid. 6 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
3258e20
into
openshift:release-4.12
@flavio-fernandes: Jira Issue OCPBUGS-24571: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-24571 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
[ART PR BUILD NOTIFIER] This PR has been included in build cluster-network-operator-container-v4.12.0-202401090132.p0.g3258e20.assembly.stream for distgit cluster-network-operator. |
Fix included in accepted release 4.12.0-0.nightly-2024-01-09-021254 |
During an internal audit conducted by one of our customers in OCP, it was discovered that the openshift-sdn component, specifically on port 9101, has exposed certain cipher suites that are considered weak. We have identified the following weak ciphers that are currently being accepted:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - See [1]
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - See [2]
[1] https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256/
[2] https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256/