Allow specifying haproxy SSL Cipher list

Openshift 3.6 The user can select from among 3 predefined cipher lists: modern, intermediate, or old. Alternatively the use may provide a custom cipher list see "openssl ciphers". The list is used to negotiate a cipher between a user and haproxyi during bind. The predefined lists are from: https://wiki.mozilla.org/Security/Server_Side_TLS A new option to "oc adm router", --ciphers, is added to specify the cipher list. The values are modern|intermediate|old, or a ":" separated list of ciphers from "man 1 ciphers" Option --ciphers creates an environment variable, ROUTER_CIPHERS, which is passed to the router pod. ---------------------- General cleanup: "oadm router" changed to "oc adm router" Code changes are in: Openshift/origin PR 14505 openshift/origin#14505 Trello oeP7vrTZ https://trello.com/c/oeP7vrTZ/285-3-allow-modification-of-haproxys-ssl-cipher-preference-ingress
openshift · Jun 27, 2017 · df264ad · df264ad
1 parent 8e809bd
commit df264ad
Show file tree

Hide file tree

Showing 2 changed files with 113 additions and 56 deletions.
diff --git a/architecture/core_concepts/routes.adoc b/architecture/core_concepts/routes.adoc
@@ -125,6 +125,14 @@ WebSocket traffic uses the same route conventions and supports the same TLS
 termination types as other traffic.
 ====
 
+For a secure connection to be established a cipher common to the client and sever
+must be nogotiated. As time goes on new more secure
+link:https://wiki.mozilla.org/Security/Server_Side_TLS[ciphers] become available and
+are integrated into client software. As older clients become obsolete, the older less
+secure ciphers can be dropped.  The router by default, supports a broad range of commonly
+available clients. The router can be configured to use a selected set of xref:ciphers[ciphers]
+that support desired clients and don't include the less secure ciphers.
+
 [[routes-template-routers]]
 
 === Template Routers
@@ -287,14 +295,9 @@ will "linger" around for that period. xref:time-units[(TimeUnits)]
 |`*ROUTER_ALLOW_WILDCARD_ROUTES*`|  |  When set to `true` or `TRUE`, any routes with a wildcard policy of `Subdomain` that pass the router admission checks will be serviced by the HAProxy router.
 |`*ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK*` |  | Set to `true` to relax the namespace ownership policy.
 |`*ROUTER_STRICT_SNI*` |  | xref:strict-sni[strict-sni]
+|`*ROUTER_CIPHERS*` | intermediate  | Specify the set of xref:ciphers[ciphers] supported by bind.
 |===
 
-[[time-units]]
-*TimeUnits* are represented by a number followed by the unit: `us`
-*(microseconds), `ms` (milliseconds, default), `s` (seconds), `m` (minutes), `h`
-*(hours), `d` (days). The regular expression is:
-[1-9][0-9]*(us\|ms\|s\|m\|h\|d)
-
 [NOTE]
 ====
 If you want to run multiple routers on the same machine, you must change the
@@ -303,6 +306,13 @@ ports that the router is listening on, `ROUTER_SERVICE_SNI_PORT` and
 they are unique on the machine. These ports will not be exposed externally.
 ====
 
+[[time-units]]
+== Timeouts
+*TimeUnits* are represented by a number followed by the unit:
+`us` (microseconds), `ms` (milliseconds, default), `s` (seconds), `m` (minutes), `h`
+(hours), `d` (days).
+The regular expression is: [1-9][0-9]*(us\|ms\|s\|m\|h\|d)
+
 [[strict-sni]]
 == HAProxy Strict SNI
 
@@ -324,6 +334,33 @@ $ oc adm router --strict-sni
 
 This sets `ROUTER_STRICT_SNI=true`.
 
+[[ciphers]]
+== Router Cipher Suite
+
+Each client, e.g., Chrome 30, Java8, includes a suite of ciphers that it can use to securely connect with the router.
+The router must have at least one of the ciphers for the connection to complete.  The
+link:https://wiki.mozilla.org/Security/Server_Side_TLS[Security/Server Side TLS] reference guide provides
+three reference profiles that support various clients.
+
+.Router Cipher Profiles
+[cols="2,6", options="header"]
+|===
+|Profile | Oldest compatible client
+|modern| Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, Java 8
+|intermediate|Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
+|old|Windows XP IE6, Java 6
+|===
+
+The router defaults to the "intermediate" profile. A different profile may be selected when the router is created
+by using the --ciphers option, or after the router is created by changing the `ROUTER_CIPHERS` environment variable.
+The values are: modern, intermediate, or old. Alternatively, a set of ":" separated ciphers may be provided. The ciphers
+must be from the set displayed by:
+
+----
+openssl ciphers
+----
+
+
 [[route-hostnames]]
 
 == Route Host Names
@@ -968,7 +1005,7 @@ For example, to deny the `[{asterisk}.]open.header.test`, `[{asterisk}.]openshif
 `[{asterisk}.]block.it` routes for the `myrouter` route:
 
 ----
-$ oadm router myrouter ...
+$ oc adm router myrouter ...
 $ oc set env dc/myrouter ROUTER_DENIED_DOMAINS="open.header.test, openshift.org, block.it"
 ----
 
@@ -994,7 +1031,7 @@ $ oc expose service/<name> --hostname="api.openshift.org"
 Alternatively, to block any routes where the host name is _not_ set to `[{asterisk}.]stickshift.org` or `[{asterisk}.]kates.net`:
 
 ----
-$ oadm router myrouter ...
+$ oc adm router myrouter ...
 $ oc set env dc/myrouter ROUTER_ALLOWED_DOMAINS="stickshift.org, kates.net"
 ----
 
@@ -1020,7 +1057,7 @@ $ oc expose service/<name> --hostname="www.deny.it"
 To implement both scenarios, run:
 
 ----
-$ oadm router adrouter ...
+$ oc adm router adrouter ...
 $ oc env dc/adrouter ROUTER_ALLOWED_DOMAINS="openshift.org, kates.net" \
     ROUTER_DENIED_DOMAINS="ops.openshift.org, metrics.kates.net"
 ----
@@ -1114,7 +1151,7 @@ This feature can be set during router creation or by setting an environment
 variable in the router's deployment configuration.
 
 ----
-$ oadm router ... --disable-namespace-ownership-check=true
+$ oc adm router ... --disable-namespace-ownership-check=true
 ----
 
 ----