• Improve this Doc

    Show / Hide Table of Contents

    How to disable weak cipher suites and enable HSTS

    Overview

    This article outlines steps to increase the security of externally exposed routes from your OpenShift cluster, through the use of more secure cipher suites and HTTP Strict Transport Security (HSTS).

    Intended audience

    OpenShift developers who have created and deployed services into OpenShift and created and exposed secure routes for those services.

    Disable weak cipher suites

    Cipher suites perform an important role in determining the security of a TLS connection. Over time, vulnerabilities have been identified in the algorithms used by cipher suites, which has resulted in published methods of decrypting and manipulating encrypted traffic. It's therefore generally recommended to use as modern a cipher suite as possible.

    UKCloud for OpenShift v3.x

    Data plane

    To provide extended client compatibility, the OpenShift router supports cipher suites from TLS 1.0 - TLS 1.2 by default. Some of these cipher suites (especially older ones) are vulnerable to man-in-the-middle (MITM) attacks.

    If exposed secure routes are only being accessed from modern clients (that support TLS 1.2 and above), you can disable the weak cipher suites by adding the following environment variable to any router DeploymentConfig:

    oc set env dc/router ROUTER_CIPHERS=modern -n default
    

    This triggers a rollout of the DeploymentConfig. Going forward, the new router pods will only accept cipher suites from TLS 1.2.

    Control plane

    By default, the OpenShift control plane (web console) only supports TLS 1.2 ciphers, although these do not provide forward secrecy.

    We can restrict the ciphers to only those that provide forward secrecy. To do this, raise a Service Request with the UKCloud OpenShift Support team via the My Calls section of the UKCloud Portal.

    UKCloud for OpenShift v4.x

    Data plane

    There are no weak ciphers supported by the OpenShift IngressController since by default it supports TLS 1.2 cipher suites with forward secrecy. It is possible to further restrict the ciphers by modifying the default IngressController object, specifically the value of IngressController.spec.tlsSecurityProfile:

    oc edit ingresscontroller default -n openshift-ingress-operator
    

    As an example, the below would omit cipher suites using the DHE key exchange:

    apiVersion: operator.openshift.io/v1
    kind: IngressController
    metadata:
      name: example
      namespace: openshift-ingress-operator
    spec:
      tlsSecurityProfile:
        type: Custom
        custom:
          ciphers:
            - TLS_AES_128_GCM_SHA256
            - TLS_AES_256_GCM_SHA384
            - TLS_CHACHA20_POLY1305_SHA256
            - ECDHE-ECDSA-AES128-GCM-SHA256
            - ECDHE-RSA-AES128-GCM-SHA256
            - ECDHE-ECDSA-AES256-GCM-SHA384
            - ECDHE-RSA-AES256-GCM-SHA384
            - ECDHE-ECDSA-CHACHA20-POLY1305
            - ECDHE-RSA-CHACHA20-POLY1305
          minTLSVersion: VersionTLS12
    

    Control plane

    There are no weak ciphers supported by the OpenShift control plane (API) since by default it supports TLS 1.2 and 1.3 cipher suites with forward secrecy.

    Enable HSTS

    HSTS (HTTP Strict Transport Security) prevents MITM attacks, such as protocol downgrading by setting a header within HTTPS responses. This header (Strict-Transport-Security) is cached by a browser and ensures that future requests to the same host always use HTTPS rather than HTTP.

    Note

    It is currently not possible to enable HSTS for the the OpenShift v3.x web console or OpenShift v4.x API server.

    Warning

    You should enable HSTS only on routes that currently have a valid certificate. If the certificate becomes invalid, the route will be inaccessible, due to how browsers' HSTS mechanisms works. You should exercise particular caution if you're using a non-standard hostname (that is, not ending in <your-cluster-hostname>.ukcloud.com) for a route. In this case you should ensure a valid certificate is contained within the route spec (for edge and re-encrypt routes) or within the container (if using the pass-through TLS encryption method).

    Enable HSTS on secure routes by using the following command:

    oc annotate route <routename> haproxy.router.openshift.io/hsts_header=max-age=31536000
    

    By default in UKCloud for OpenShift v4.x clusters, the following apps routes provisioned during deployment have HSTS enabled:

    • OpenShift Console

    • Kibana

    • AlertManager

    • Grafana

    • Prometheus

    • Thanos

    Further reading

    • https://wiki.mozilla.org/Security/Server_Side_TLS

    • https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

    UKCloud for OpenShift v3.x Specific

    • https://docs.openshift.com/container-platform/3.11/install_config/router/default_haproxy_router.html#bind-ciphers

    • https://docs.openshift.com/container-platform/3.11/admin_guide/managing_networking.html#admin-guide-enabling-hsts

    UKCloud for OpenShift v4.x Specific

    • https://docs.openshift.com/container-platform/4.4/networking/routes/route-configuration.html#nw-enabling-hsts_route-configuration

    Feedback

    If you find a problem with this article, click Improve this Doc to make the change yourself or raise an issue in GitHub. If you have an idea for how we could improve any of our services, send an email to feedback@ukcloud.com.

    ☀
    ☾
    Generated by DocFX
    Back to top
    © UKCloud Ltd, 2022. All Rights Reserved.
    Privacy Policy. Terms of Use. Contribute.

    The UKCloud Knowledge Centre uses cookies to ensure that we give you the best experience on our website. If you continue we assume that you consent to receive all cookies on this website.