Skip to content

OCPBUGS-17349: Drop weak TLS ciphers #1964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
liouk wants to merge 1 commit into from
Closed

OCPBUGS-17349: Drop weak TLS ciphers #1964

liouk wants to merge 1 commit into from

Conversation

@liouk
Copy link
Member

@liouk liouk commented May 21, 2025
edited
Loading

This PR removes the following RSA/CBC/SHA1 insecure TLS ciphers from the list of default ciphers:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

Proof PRs:

@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels May 21, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented May 21, 2025

@liouk: This pull request references Jira Issue OCPBUGS-17349, which is invalid:

  • expected the bug to target the "4.20.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This PR removes the following RSA/CBC/SHA1 insecure TLS ciphers from the list of default ciphers:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from deads2k and p0lyn0mial May 21, 2025 10:14
@liouk liouk changed the title OCPBUGS-17349: Drop weak TLS ciphers WIP: OCPBUGS-17349: Drop weak TLS ciphers May 21, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 21, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: liouk
Once this PR has been reviewed and has the lgtm label, please assign bertinatto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 21, 2025
@liouk
Copy link
Member Author

liouk commented May 21, 2025

/jira refresh

@openshift-ci-robot
Copy link

openshift-ci-robot commented May 21, 2025

@liouk: An error was encountered updating to the POST state for bug OCPBUGS-17349 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message. No response returned: Post "https://issues.redhat.com/rest/api/2/issue/15405568/transitions": POST https://issues.redhat.com/rest/api/2/issue/15405568/transitions giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@liouk
Copy link
Member Author

liouk commented May 21, 2025

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels May 21, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented May 21, 2025

@liouk: This pull request references Jira Issue OCPBUGS-17349, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xingxingxia

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from xingxingxia May 21, 2025 10:16
@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 21, 2025

@liouk: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

This was referenced May 21, 2025
Open
Open
@openshift-ci-robot
Copy link

openshift-ci-robot commented May 22, 2025

@liouk: This pull request references Jira Issue OCPBUGS-17349, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xingxingxia

Details

In response to this:

This PR removes the following RSA/CBC/SHA1 insecure TLS ciphers from the list of default ciphers:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

Proof PRs:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@liouk liouk changed the title WIP: OCPBUGS-17349: Drop weak TLS ciphers OCPBUGS-17349: Drop weak TLS ciphers May 22, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 22, 2025
ibihim
ibihim reviewed May 22, 2025
View reviewed changes
pkg/crypto/crypto.go
Comment on lines +265 to +266
tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // forbidden by http/2
tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // forbidden by http/2
Copy link
Contributor

@ibihim ibihim May 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: The indent is off for this comment.

Copy link
Member Author

@liouk liouk May 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the lines above are comments as a whole, gofmt won't align the comments at the end unfortunately 😅 I could adjust manually, but the next person that formats this file will likely get the same change.

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 22, 2025
ibihim
ibihim reviewed May 22, 2025
View reviewed changes
pkg/crypto/crypto.go
Comment on lines 261 to 262
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, // forbidden by http/2
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, // forbidden by http/2
Copy link
Contributor

@ibihim ibihim May 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While at it, we should consider dropping those as well. They use CBC with an HMAC-SHA1. Which I assume is the same reasoning as dropping the others.

Copy link
Contributor

@sanchezl sanchezl Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I concur, let's drop everything not in the current (v5.7) guidelines. Basically drop everything "forbidden by http/2".

@liouk liouk mentioned this pull request May 27, 2025
Closed
@openshift-ci-robot
Copy link

openshift-ci-robot commented May 27, 2025

@liouk: This pull request references Jira Issue OCPBUGS-17349, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xingxingxia

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This PR removes the following RSA/CBC/SHA1 insecure TLS ciphers from the list of default ciphers:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

Proof PRs:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@liouk liouk mentioned this pull request May 28, 2025
Closed
@openshift-bot
Copy link

openshift-bot commented Aug 27, 2025

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 27, 2025
@candita
Copy link
Contributor

candita commented Aug 28, 2025

@liouk we still need this to resolve a bunch of issues. Can we get this into the next release?

/remove-lifecycle stale

@openshift-ci openshift-ci bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 28, 2025
@candita
Copy link
Contributor

candita commented Nov 3, 2025

@ibihim can we get some movement on this issue? PTAL?

sanchezl
sanchezl suggested changes Nov 11, 2025
View reviewed changes
pkg/crypto/crypto.go
Comment on lines 261 to 262
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, // forbidden by http/2
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, // forbidden by http/2
Copy link
Contributor

@sanchezl sanchezl Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I concur, let's drop everything not in the current (v5.7) guidelines. Basically drop everything "forbidden by http/2".

@sanchezl sanchezl mentioned this pull request Nov 13, 2025
Merged
@sanchezl
Copy link
Contributor

sanchezl commented Nov 13, 2025

Thank you for this work @liouk!

Work will continue on #2051, which has broader scope to align with the complete Mozilla SSL Configuration Guidelines intermediate profile (https://ssl-config.mozilla.org/guidelines/latest.json).

Closing this PR in favor of #2051.

@sanchezl
Copy link
Contributor

sanchezl commented Nov 13, 2025

Superseded by #2051

@sanchezl
Copy link
Contributor

sanchezl commented Nov 13, 2025

/close

@openshift-ci openshift-ci bot closed this Nov 13, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 13, 2025

@sanchezl: Closed this PR.

Details

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 13, 2025

@liouk: This pull request references Jira Issue OCPBUGS-17349. The bug has been updated to no longer refer to the pull request using the external bug tracker.

Details

In response to this:

This PR removes the following RSA/CBC/SHA1 insecure TLS ciphers from the list of default ciphers:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

Proof PRs:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

@xingxingxia xingxingxia Awaiting requested review from xingxingxia

2 more reviewers

@ibihim ibihim ibihim left review comments

@sanchezl sanchezl sanchezl requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

@ibihim ibihim

Labels

jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@liouk @openshift-ci-robot @openshift-bot @candita @sanchezl @ibihim