Hi Mateus, this is the output reported:
# Prevent vulnerability to POODLE attacks ssl-default-bind-options no-sslv3 # The default cipher suite can be selected from the three sets recommended by https://wiki.mozilla.org/Security/Server_Side_TLS, # or the user can provide one using the ROUTER_CIPHERS environment variable. # By default when a cipher set is not provided, intermediate is used. {{- if eq (env "ROUTER_CIPHERS" "intermediate") "modern" }} # Modern cipher suite (no legacy browser support) from https://wiki.mozilla.org/Security/Server_Side_TLS tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 {{ else }} {{- if eq (env "ROUTER_CIPHERS" "intermediate") "intermediate" }} # Intermediate cipher suite (default) from https://wiki.mozilla.org/Security/Server_Side_TLS tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS {{ else }} {{- if eq (env "ROUTER_CIPHERS" "intermediate") "old" }} # Old cipher suite (maximum compatibility but insecure) from https://wiki.mozilla.org/Security/Server_Side_TLS tune.ssl.default-dh-param 1024 ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP {{- else }} # user provided list of ciphers (Colon separated list as seen above) # the env default is not used here since we can't get here with empty ROUTER_CIPHERS tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers {{env "ROUTER_CIPHERS" "ECDHE-ECDSA-CHACHA20-POLY1305"}} {{- end }} {{- end }} {{- end }} defaults maxconn {{env "ROUTER_MAX_CONNECTIONS" "20000"}} # Add x-forwarded-for header. {{- if ne (env "ROUTER_SYSLOG_ADDRESS" "") "" }} {{- if ne (env "ROUTER_SYSLOG_FORMAT" "") "" }} Marcello On Fri, Nov 17, 2017 at 1:36 PM, Mateus Caruccio < mateus.caruc...@getupcloud.com> wrote: > Hey Marcello. > > Correct me if I'm wrong, but you could look into haproxy's config and set > all ciphers you need: > > $ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers > haproxy-config.template > > There is this env var `ROUTER_CIPHERS` you can choose standard profiles > (modern|intermediate|old) or define your own list. > > Hope this help. > > Mateus > > > -- > Mateus Caruccio / Master of Puppets > GetupCloud.com > We make the infrastructure invisible > Gartner Cool Vendor 2017 > > 2017-11-17 10:28 GMT-02:00 Marcello Lorenzi <cell...@gmail.com>: > >> Hi All, >> we tried to configure a new route on Openshift Origin 3.6 to expose a pod >> where the SSL termination is enabled. We have a problem to configure a >> re-encrypt route because we noticed that the application is not present on >> the router and after some investigation we discovered that the problem is >> related to pod certificate chain. The chain is formed by: >> >> - root certificate sha1 >> - intermediate certificate sha256 >> - server certificate sha256 >> >> We have update the root certificate to sha256 and all works fine. >> >> Could you confirm if the Openshift router doesn't support the sha1 >> certificate? >> >> Thanks, >> Marcello >> >> _______________________________________________ >> users mailing list >> users@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
