Bug 1823852: pkg/server: disable weak TLS versions #1649

runcom · 2020-04-14T16:13:10Z

Coming from an user request but it makes sense as we (OpenShift) use and control
that port.

It's not fully clear to me if we can drop tls < 1.2 but I'm leaning toward so for security reasons

Signed-off-by: Antonio Murdaca runcom@linux.com

Coming from an user request but it makes sense as we (OpenShift) use and control that port. Signed-off-by: Antonio Murdaca <runcom@linux.com>

openshift-ci-robot · 2020-04-14T16:13:16Z

@runcom: This pull request references Bugzilla bug 1823852, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.5.0) matches configured target release for branch (4.5.0)
bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Details

In response to this:

Bug 1823852: pkg/server: disable weak TLS versions

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci-robot · 2020-04-14T16:20:23Z

@runcom: This pull request references Bugzilla bug 1823852, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.5.0) matches configured target release for branch (4.5.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Details

In response to this:

Bug 1823852: pkg/server: disable weak TLS versions

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

runcom · 2020-04-14T16:33:13Z

/cherry-pick release-4.4

openshift-cherrypick-robot · 2020-04-14T16:33:14Z

@runcom: once the present PR merges, I will cherry-pick it on top of release-4.4 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.4
/cherry-pick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

runcom · 2020-04-14T16:33:29Z

/cherry-pick release-4.3

openshift-cherrypick-robot · 2020-04-14T16:33:29Z

@runcom: once the present PR merges, I will cherry-pick it on top of release-4.3 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

runcom · 2020-04-14T16:33:59Z

/retest

runcom · 2020-04-14T17:09:02Z

/retest
/skip

openshift-ci-robot · 2020-04-14T17:09:26Z

@runcom: The /retest command does not accept any targets.
The following commands are available to trigger jobs:

/test e2e-aws
/test e2e-aws-disruptive
/test e2e-aws-scaleup-rhel7
/test e2e-gcp-op
/test e2e-gcp-upgrade
/test e2e-metal-ipi
/test e2e-openstack
/test e2e-ovirt
/test e2e-vsphere
/test images
/test unit
/test verify

Use /test all to run all jobs.

Details

In response to this:

/retest
/skip

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

ashcrow · 2020-04-14T17:11:12Z

/retest

ashcrow · 2020-04-14T19:25:35Z

/retest

pkg/server/api.go

runcom · 2020-04-15T07:14:09Z

/skip

runcom · 2020-04-15T08:22:02Z

/hold cancel

runcom · 2020-04-15T08:22:26Z

This is good to go now, ptal

pkg/server/api.go

Co-Authored-By: Colin Walters <walters@verbum.org> Signed-off-by: Antonio Murdaca <runcom@linux.com>

cgwalters · 2020-04-15T13:11:40Z

It's not fully clear to me if we can drop tls < 1.2 but I'm leaning toward so for security reasons

The only thing hitting this endpoint now should be CoreOS; so the minimum version here is really "maximum TLS supported by CoreOS". I suspect in fact we could bump it up to 1.3.

Although, I guess more precisely it's "maximum TLS supported by RHCOS 4.1...since we don't update bootimages yet.

runcom · 2020-04-15T15:45:50Z

The only thing hitting this endpoint now should be CoreOS; so the minimum version here is really "maximum TLS supported by CoreOS". I suspect in fact we could bump it up to 1.3.

Although, I guess more precisely it's "maximum TLS supported by RHCOS 4.1...since we don't update bootimages yet.

awesome, that was my impression as well: since we control the other side of the connection, we can safely assume those are going to be the only proto to be used.

Anyway, since TLS 1.2 doesn't seem to be an issue, what if we stick with that? or do you feel strong about moving to 1.3?

runcom · 2020-04-15T15:47:32Z

from all the e2e tests failing tho, I'm not sure if we can do this lol will keep checking.

kikisdeliveryservice · 2020-04-16T17:24:36Z

/skip

openshift-ci-robot · 2020-04-23T08:26:12Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ashcrow, runcom, sinnykumari

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [ashcrow,runcom,sinnykumari]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

runcom · 2020-04-23T10:03:36Z

/retest

runcom · 2020-04-23T11:05:50Z

/refresh

runcom · 2020-04-23T11:06:12Z

/refresh

runcom · 2020-04-23T11:06:34Z

/retest e2e-aws

openshift-ci-robot · 2020-04-23T11:06:49Z

@runcom: The /retest command does not accept any targets.
The following commands are available to trigger jobs:

/test e2e-aws
/test e2e-aws-disruptive
/test e2e-aws-scaleup-rhel7
/test e2e-gcp-op
/test e2e-gcp-upgrade
/test e2e-metal-ipi
/test e2e-openstack
/test e2e-ovirt
/test e2e-vsphere
/test images
/test unit
/test verify

Use /test all to run all jobs.

Details

In response to this:

/retest e2e-aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

runcom · 2020-04-23T11:11:37Z

/test e2e-aws

openshift-bot · 2020-04-23T12:44:41Z

/retest

Please review the full test history for this PR and help us cut down flakes.

runcom · 2020-04-23T14:10:27Z

/refresh
/retest

runcom · 2020-04-23T14:11:54Z

/test e2e-aws

runcom · 2020-04-23T15:54:12Z

/retest

runcom · 2020-04-23T17:36:10Z

/refresh

runcom · 2020-04-23T17:36:16Z

/retest

kikisdeliveryservice · 2020-04-23T18:11:04Z

PR seems to be hitting a lot of prometheus related erors in e2e-aws.. are these flakes/known bugs?

runcom · 2020-04-23T20:36:12Z

/refresh

openshift-bot · 2020-04-23T22:41:20Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-04-23T23:07:10Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-ci-robot · 2020-04-24T00:18:34Z

@runcom: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-scaleup-rhel7	`f76bd18`	link	`/test e2e-aws-scaleup-rhel7`

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-bot · 2020-04-24T00:25:13Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-04-24T01:17:15Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-ci-robot · 2020-04-24T01:57:51Z

@runcom: All pull requests linked via external trackers have merged: openshift/machine-config-operator#1649. Bugzilla bug 1823852 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1823852: pkg/server: disable weak TLS versions

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-cherrypick-robot · 2020-04-24T01:58:08Z

@runcom: new pull request created: #1680

Details

In response to this:

/cherry-pick release-4.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-cherrypick-robot · 2020-04-24T01:58:16Z

@runcom: new pull request created: #1681

Details

In response to this:

/cherry-pick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

pkg/server: disable weak TLS versions

a49cd96

Coming from an user request but it makes sense as we (OpenShift) use and control that port. Signed-off-by: Antonio Murdaca <runcom@linux.com>

openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Apr 14, 2020

runcom added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 14, 2020

openshift-ci-robot requested review from ericavonb and sinnykumari April 14, 2020 16:13

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 14, 2020

ashcrow approved these changes Apr 14, 2020

View reviewed changes

cgwalters reviewed Apr 14, 2020

View reviewed changes

pkg/server/api.go Show resolved Hide resolved

pkg/server/api.go Show resolved Hide resolved

openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 15, 2020

sinnykumari reviewed Apr 15, 2020

View reviewed changes

pkg/server/api.go Outdated Show resolved Hide resolved

pkg/server: add a note on disallowing tls 1.1/1.0

f76bd18

Co-Authored-By: Colin Walters <walters@verbum.org> Signed-off-by: Antonio Murdaca <runcom@linux.com>

runcom force-pushed the tls-weak branch from 16f76a9 to f76bd18 Compare April 15, 2020 11:57

openshift-ci-robot assigned sinnykumari Apr 23, 2020

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 23, 2020

openshift-merge-robot merged commit a6dc119 into openshift:master Apr 24, 2020

openshift-cherrypick-robot mentioned this pull request Apr 24, 2020

[release-4.4] Bug 1827539: pkg/server: disable weak TLS versions #1680

Merged

openshift-cherrypick-robot mentioned this pull request Apr 24, 2020

[release-4.3] Bug 1827540: pkg/server: disable weak TLS versions #1681

Merged

runcom deleted the tls-weak branch April 24, 2020 06:58

runcom mentioned this pull request Jun 9, 2020

Bug 1844990: pkg/server: default to TLS 1.3 #1793

Merged

Bug 1823852: pkg/server: disable weak TLS versions #1649

Bug 1823852: pkg/server: disable weak TLS versions #1649

Uh oh!

Conversation

runcom commented Apr 14, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Apr 14, 2020

Uh oh!

openshift-ci-robot commented Apr 14, 2020

Uh oh!

runcom commented Apr 14, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-cherrypick-robot commented Apr 14, 2020

Uh oh!

runcom commented Apr 14, 2020

Uh oh!

openshift-cherrypick-robot commented Apr 14, 2020

Uh oh!

runcom commented Apr 14, 2020

Uh oh!

runcom commented Apr 14, 2020

Uh oh!

openshift-ci-robot commented Apr 14, 2020

Uh oh!

ashcrow commented Apr 14, 2020

Uh oh!

ashcrow commented Apr 14, 2020

Uh oh!

Uh oh!

Uh oh!

runcom commented Apr 15, 2020

Uh oh!

runcom commented Apr 15, 2020

Uh oh!

runcom commented Apr 15, 2020

Uh oh!

Uh oh!

cgwalters commented Apr 15, 2020

Uh oh!

runcom commented Apr 15, 2020

Uh oh!

runcom commented Apr 15, 2020

Uh oh!

kikisdeliveryservice commented Apr 16, 2020

Uh oh!

openshift-ci-robot commented Apr 23, 2020

Uh oh!

runcom commented Apr 23, 2020

Uh oh!

runcom commented Apr 23, 2020

Uh oh!

runcom commented Apr 23, 2020

Uh oh!

runcom commented Apr 23, 2020

Uh oh!

openshift-ci-robot commented Apr 23, 2020

Uh oh!

runcom commented Apr 23, 2020

Uh oh!

openshift-bot commented Apr 23, 2020

Uh oh!

runcom commented Apr 23, 2020

Uh oh!

runcom commented Apr 23, 2020

Uh oh!

runcom commented Apr 23, 2020

Uh oh!

runcom commented Apr 23, 2020

Uh oh!

runcom commented Apr 23, 2020

Uh oh!

kikisdeliveryservice commented Apr 23, 2020

Uh oh!

runcom commented Apr 23, 2020

Uh oh!

openshift-bot commented Apr 23, 2020

Uh oh!

openshift-bot commented Apr 23, 2020

runcom commented Apr 14, 2020 •

edited

Loading

runcom commented Apr 14, 2020 •

edited

Loading

openshift-ci-robot commented Apr 24, 2020 •

edited

Loading