When using TLS13 it should not be allowed to specify any ciphers

Question

When using TLS13 it should not be allowed to specify any ciphers

0xFelix opened this issue a year ago · 1 comments

0xFelix commented a year ago

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug

/kind enhancement

What happened:

When using minTLSVersion: VersionTLS13 HCO accepts custom ciphers even though it is not possible to configure ciphers at all in Golang when using TLS 1.3.

oc patch hco kubevirt-hyperconverged -n openshift-cnv --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"]}, type: "Custom"} }]'

This command returns success, but translates to the following tlsConfiguration on the KubeVirt CR:

tlsConfiguration:
  minTLSVersion: VersionTLS13

What you expected to happen:

This command should fail:

oc patch hco kubevirt-hyperconverged -n openshift-cnv --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"]}, type: "Custom"} }]'

How to reproduce it (as minimally and precisely as possible):

Run the mentioned command and observe the KubeVirt CR.

Anything else we need to know?:

Environment:

HCO version (use oc get csv -n kubevirt-hyperconverged):
Kubernetes version (use kubectl version):
Cloud provider or hardware configuration:
Install tools:
Others:

Answer 1 · 2023-10-18T13:41:21.000Z

/cc @tiraboschi