Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explicitly set MinVersion of TLS #135

Merged
merged 1 commit into from
Aug 1, 2023
Merged

Explicitly set MinVersion of TLS #135

merged 1 commit into from
Aug 1, 2023

Conversation

clobrano
Copy link
Contributor

Currently, the default MinVersion value for TLS configuration is used,
which is TLS1.0 and considered insecure.

Explicitly set the MinVersion to a secure version of TLS.

closes: https://issues.redhat.com/browse/ECOPROJECT-1419

Signed-off-by: Carlo Lobrano [email protected]

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 12, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 12, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clobrano

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@clobrano clobrano changed the title Explicitly set MinVersion of TLS [WIP] Explicitly set MinVersion of TLS Jul 12, 2023
@mshitrit
Copy link
Member

/test 4.13-openshift-e2e

@clobrano
Copy link
Contributor Author

Testing with my cluster I am seeing some problems
/hold

@clobrano
Copy link
Contributor Author

but not with ci/prow/4.13-openshift-e2e 🤔

@clobrano
Copy link
Contributor Author

/test 4.14-openshift-e2e

@clobrano clobrano changed the title [WIP] Explicitly set MinVersion of TLS Explicitly set MinVersion of TLS Jul 17, 2023
@clobrano
Copy link
Contributor Author

test passed also in my local cluster /unhold

@clobrano clobrano marked this pull request as ready for review July 17, 2023 09:34
@openshift-ci openshift-ci bot requested review from beekhof and razo7 July 17, 2023 09:34
@mshitrit
Copy link
Member

mshitrit commented Jul 19, 2023
edited
Loading

I might be misunderstanding but I think it might be relevant here (see below - credentials.go L18-22) as well

return credentials.NewTLS(&tls.Config{
		Certificates: []tls.Certificate{*keyPair},
		ClientAuth:   tls.RequireAndVerifyClientCert,
		ClientCAs:    pool,
	}), nil

Also since it's being used in couple of places, maybe keep a global const with the version ?

@clobrano
Copy link
Contributor Author

I might be misunderstanding but I think it might be relevant here (see below - credentials.go L18-22) as well

return credentials.NewTLS(&tls.Config{
		Certificates: []tls.Certificate{*keyPair},
		ClientAuth:   tls.RequireAndVerifyClientCert,
		ClientCAs:    pool,
	}), nil

Also since it's being used in couple of places, maybe keep a global const with the version ?

Interesting, these two haven't been found by the scanner

@clobrano
Copy link
Contributor Author

Interesting, these two haven't been found by the scanner

nevermind, at least one of them have been found by the scanner, my bad

@clobrano
Copy link
Contributor Author

/retest

@clobrano
Explicitly set MinVersion of TLS
968cd10 
Currently, the default MinVersion value for TLS configuration is used,
which is TLS1.0 and considered insecure.

Explicitly set the MinVersion to a secure version of TLS.

closes: https://issues.redhat.com/browse/ECOPROJECT-1419

Signed-off-by: Carlo Lobrano <[email protected]>
@clobrano
Copy link
Contributor Author

/retest

2 similar comments
@clobrano
Copy link
Contributor Author

/retest

@clobrano
Copy link
Contributor Author

/retest

@mshitrit
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jul 23, 2023
@clobrano
Copy link
Contributor Author

/unhold

@clobrano
Copy link
Contributor Author

/retest

4 similar comments
@clobrano
Copy link
Contributor Author

/retest

@clobrano
Copy link
Contributor Author

/retest

@mshitrit
Copy link
Member

/retest

@slintes
Copy link
Member

slintes commented Aug 1, 2023

/retest

@clobrano
Copy link
Contributor Author

clobrano commented Aug 1, 2023

I wonder if there is something that is making this test fail. I reproduce the failure also in my cluster (and the same test on the same cluster passes without the change of this PR), but I was waiting for FF to have a deeper analysis

@openshift-merge-robot openshift-merge-robot merged commit 044ff33 into medik8s:main Aug 1, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mshitrit mshitrit mshitrit left review comments

@beekhof beekhof Awaiting requested review from beekhof

@razo7 razo7 Awaiting requested review from razo7

Assignees

@mshitrit mshitrit

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@clobrano @mshitrit @slintes @openshift-merge-robot