-
Notifications
You must be signed in to change notification settings - Fork 422
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change TLS MinVersion to tls.VersionTLS12
in order to make Triggers run on OCP where FIPS enabled
#1518
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
@savitaashture Removing min version in the tls, is flagged as a security issue by gosec. Does it really resolve FIPS? |
+1. Don't know a lot about FIPS but from https://developers.redhat.com/articles/2022/05/31/your-go-application-fips-compliant it sounds like you have to build with a different set of crypto libraries for it to be FIPS compatible? |
6d79fe3
to
004b59d
Compare
Looked deeper and discussed with those who know about FIPS Reason:
So now changed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: khrm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks @savitaashture - the explanation is very helpful. Can we update the PR description/commit message with this? |
tls.VersionTLS12
in order to make Triggers run on OCP where FIPS enabled
Thank you @dibyom Updated commit message and Description |
/test pull-tekton-triggers-integration-tests |
2 similar comments
/test pull-tekton-triggers-integration-tests |
/test pull-tekton-triggers-integration-tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/kind bug
Changes
Fixes: tls: client offered only unsupported versions #1463 this issue occurs on Openshift cluster where fips are enabled
Issue:
http: TLS handshake error from 10.128.2.1:36306: tls: client offered only unsupported versions: [303]
RCA:
During peer-peer https communication, when TLS handshake is happening, at a stage where both server and client mutually agree for a common TLS version and cipher,, The Triggers Interceptor server is enabled or only allow TLS 1.3 and corresponding ciphers today, where the client(OCP) giving a TLS 1.2 tls version and cipher(Based on error http: TLS handshake error from 10.128.2.1:36306: tls: client offered only unsupported versions: [303] Ref,)
which result in the TLS handshake not happening as there is no mutual TLS version to negotiate from both (server and client ) side
OCP uses MInTLS as 1.2 for all components
Fix:
Moved config/interceptors/interceptor-secrets.yaml to config/interceptors/00-interceptor-secrets.yaml so that secrets will be created before core-intercetor pod start this solves issue like
tekton-triggers-core-interceptors-certs
not foundSubmitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Release Notes