Weak TLS ciphers used by openshift components

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform 4.x

Issue

  • A security scanner / NMAP scan shows weak signature algorithm (RSA+SHA1) offered in TLS.
  • These ports {17697, 1936, 9099, 9104} have shown use of weak ciphers in TLS connection
    e.g
$ nmap -sV --script ssl-enum-ciphers -p 17697  master-0.cluster-name.domain.com
Nmap scan report for master-0.cluster-name.domain.com (10.0.x.y)
ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Resolution

  • Currently, there's no mechanism to modify ciphers for the highlighted ports.
  • There are plans to address these product-wide in library code via library-go crypto. If you want to know status of the bug or have more concerns, please report a case with support for more details.
  • These ports are used only for the internal communication / metrics only.
  • If feasible via firewall, users can restrict the access for these ports within cluster network only.

Diagnostic Steps

  • Port 17697 is used by kube-apiserver check-endpoints e.g., https://localhost:17697/readyz
  • Port 1936 is used for OpenShift router's health-check endpoints - healthz/stats, only on nodes running router pod replicas.
  • Port 9099 is used by cluster version operator (CVO). The endpoint here is the metrics one, it exposes no API etc.
  • Port 9104 is used for openshift-network-operator metrics

Port type and description is officially documented

Impact Analysis

  • Nmap script returns some of the weak ciphers, however, it also indicates them with "A" grade.
  • As per nmap script summary;
    Each ciphersuite is shown with a letter grade (A through F) indicating the strength of the connection. The grade is based on the cryptographic strength of the key exchange and of the stream cipher

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments