OSSM failed to initialize cipher suites ECDHE-ECDSA-CHACHA20-POLY1305 and ECDHE-RSA-CHACHA20-POLY1305

Solution Verified - Updated -

Issue

  • The istiod fails to initialize the cipher suites TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.
$ oc get smcp basic -oyaml
...
spec:
  addons:
    grafana:
      enabled: true
    jaeger:
      install:
        storage:
          type: Memory
    kiali:
      enabled: true
    prometheus:
      enabled: true
  policy:
    type: Istiod
  profiles:
  - default
  proxy:
    networking:
      protocol:
        autoDetect:
          inbound: true
          outbound: true
      trafficControl:
        outbound:
          includedIPRanges:
          - 10.128.0.0/16,172.30.0.0/16
  security:
    controlPlane:
      mtls: true
      tls:
        cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    dataPlane:
      automtls: true
      mtls: true

$ oc logs istiod-basic-758f779f6c-s5tx9
...
2023-08-25T13:10:08.161399128Z 2023-08-25T13:10:08.161320Z      info    ads     EDS: PUSH request for node:camunda-backup-28216150-5rfjr.camunda-dev resources:399 size:163.6kB empty:0 cached:399/399
2023-08-25T13:10:08.202092815Z 2023-08-25T13:10:08.202021Z      info    ads     LDS: PUSH request for node:camunda-backup-28216150-5rfjr.camunda-dev resources:131 size:320.3kB
2023-08-25T13:10:08.203672974Z 2023-08-25T13:10:08.203637Z      info    ads     NDS: PUSH request for node:camunda-backup-28216150-5rfjr.camunda-dev resources:1 size:57.4kB
2023-08-25T13:10:08.418616386Z 2023-08-25T13:10:08.418529Z      info    ads     RDS: PUSH request for node:camunda-backup-28216150-5rfjr.camunda-dev resources:60 size:261.1kB cached:54/60
2023-08-25T13:10:08.418616386Z 2023-08-25T13:10:08.418596Z      warn    ads     ADS:LDS: ACK ERROR camunda-backup-28216150-5rfjr.camunda-dev-625 Internal:Error adding/updating listener(s) virtualInbound: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305
2023-08-25T13:10:08.418616386Z 
2023-08-25T13:13:41.273585205Z 2023-08-25T13:13:41.273501Z      warn    Insecure first-party-jwt option used to validate token; use third-party-jwt

Environment

  • Red Hat OpenShift Container Platform (OCP)
    • 4.x
  • Red Hat OpenShift Service Mesh
    • 2.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content