Skip to content

Commit 8dd758c

Browse files
committed
[CHORE] Drop workaround for TLSv1.3 ciphers
github.com/openshift/library-go/pull/1956 got merged so we can drop the workaround for TLSv1.3 ciphers. Signed-off-by: Simone Tiraboschi <[email protected]>
1 parent bc7b2c3 commit 8dd758c

File tree

9 files changed

+28
-55
lines changed

9 files changed

+28
-55
lines changed

cmd/hyperconverged-cluster-webhook/main.go

Lines changed: 1 addition & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -183,31 +183,12 @@ func main() {
183183
}
184184

185185
func MutateTLSConfig(cfg *tls.Config) {
186-
var ciphersTLS13 = map[string]uint16{
187-
"TLS_AES_128_GCM_SHA256": tls.TLS_AES_128_GCM_SHA256,
188-
"TLS_AES_256_GCM_SHA384": tls.TLS_AES_256_GCM_SHA384,
189-
"TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256,
190-
}
191-
192186
// This callback executes on each client call returning a new config to be used
193187
// please be aware that the APIServer is using http keepalive so this is going to
194188
// be executed only after a while for fresh connections and not on existing ones
195189
cfg.GetConfigForClient = func(_ *tls.ClientHelloInfo) (*tls.Config, error) {
196190
cipherNames, minTypedTLSVersion := validator.SelectCipherSuitesAndMinTLSVersion()
197-
198-
// TODO: workaround: TLSv1.3 ciphers are now enabled on openshift/library-go
199-
// but on the other side crypto.CipherSuitesOrDie is still failing with an
200-
// explict error when it encounters the name of a TLSv1.3 cipher.
201-
// Remove the workaround once we can consume https://github.com/openshift/library-go/pull/1956
202-
cipherNamesIANAC := crypto.OpenSSLToIANACipherSuites(cipherNames)
203-
cipherNamesFilteredNoTLS13 := []string{}
204-
for _, cipherName := range cipherNamesIANAC {
205-
if _, ok := ciphersTLS13[cipherName]; !ok {
206-
cipherNamesFilteredNoTLS13 = append(cipherNamesFilteredNoTLS13, cipherName)
207-
}
208-
}
209-
210-
cfg.CipherSuites = crypto.CipherSuitesOrDie(crypto.OpenSSLToIANACipherSuites(cipherNamesFilteredNoTLS13))
191+
cfg.CipherSuites = crypto.CipherSuitesOrDie(crypto.OpenSSLToIANACipherSuites(cipherNames))
211192
cfg.MinVersion = crypto.TLSVersionOrDie(string(minTypedTLSVersion))
212193
return cfg, nil
213194
}

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ require (
1919
github.com/openshift/api v3.9.1-0.20190517100836-d5b34b957e91+incompatible
2020
github.com/openshift/cluster-kube-descheduler-operator v0.0.0-20250410114548-481d56a6c34e
2121
github.com/openshift/custom-resource-status v1.1.2
22-
github.com/openshift/library-go v0.0.0-20250402180609-ce2ba53fb2a4
22+
github.com/openshift/library-go v0.0.0-20250416130344-ac3ba9eb16a2
2323
github.com/operator-framework/api v0.30.0
2424
github.com/operator-framework/operator-lib v0.17.0
2525
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.81.0

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -240,8 +240,8 @@ github.com/openshift/cluster-kube-descheduler-operator v0.0.0-20250410114548-481
240240
github.com/openshift/cluster-kube-descheduler-operator v0.0.0-20250410114548-481d56a6c34e/go.mod h1:wl2qvwuZU+YWNingOkAzabrH5BJwd4OhUH5FAtOG00U=
241241
github.com/openshift/custom-resource-status v1.1.2 h1:C3DL44LEbvlbItfd8mT5jWrqPfHnSOQoQf/sypqA6A4=
242242
github.com/openshift/custom-resource-status v1.1.2/go.mod h1:DB/Mf2oTeiAmVVX1gN+NEqweonAPY0TKUwADizj8+ZA=
243-
github.com/openshift/library-go v0.0.0-20250402180609-ce2ba53fb2a4 h1:MDnTCGqFUULZ4+0fr0sQYlB80yTun8nEZ062azvFSCk=
244-
github.com/openshift/library-go v0.0.0-20250402180609-ce2ba53fb2a4/go.mod h1:DAa3BGl0CFtkfJn/g5rU8kDDTErfMVA/QlFm4cvU+MI=
243+
github.com/openshift/library-go v0.0.0-20250416130344-ac3ba9eb16a2 h1:2J99k2da7QBIa0i3H/MymyDHo5cHc5k5JG0xbrsGIok=
244+
github.com/openshift/library-go v0.0.0-20250416130344-ac3ba9eb16a2/go.mod h1:DAa3BGl0CFtkfJn/g5rU8kDDTErfMVA/QlFm4cvU+MI=
245245
github.com/operator-framework/api v0.30.0 h1:44hCmGnEnZk/Miol5o44dhSldNH0EToQUG7vZTl29kk=
246246
github.com/operator-framework/api v0.30.0/go.mod h1:FYxAPhjtlXSAty/fbn5YJnFagt6SpJZJgFNNbvDe5W0=
247247
github.com/operator-framework/operator-lib v0.17.0 h1:cbz51wZ9+GpWR1ZYP4CSKSSBxDlWxmmnseaHVZZjZt4=

hack/tlsprofiles/custom.expected

Lines changed: 1 addition & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,8 @@ PORT STATE SERVICE
44
| TLSv1.2:
55
| ciphers:
66
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
7-
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
8-
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
9-
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
10-
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
11-
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
127
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
13-
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
14-
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
15-
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
8+
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
169
| compressors:
1710
| NULL
1811
| cipher preference: server

hack/tlsprofiles/intermediate.expected

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4,18 +4,11 @@ PORT STATE SERVICE
44
| TLSv1.2:
55
| ciphers:
66
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
7-
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
87
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
9-
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
10-
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
11-
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
12-
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
13-
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
14-
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
15-
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
8+
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
169
| compressors:
1710
| NULL
18-
| cipher preference: server
11+
| cipher preference: client
1912
| TLSv1.3:
2013
| ciphers:
2114
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A

hack/tlsprofiles/intermediate.expected.fips

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ PORT STATE SERVICE
55
| ciphers:
66
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
77
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
8+
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
9+
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
10+
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
811
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
912
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
1013
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

hack/tlsprofiles/old.expected

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,18 +7,24 @@ PORT STATE SERVICE
77
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
88
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
99
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
10+
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
1011
| compressors:
1112
| NULL
1213
| cipher preference: server
14+
| warnings:
15+
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
1316
| TLSv1.1:
1417
| ciphers:
1518
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
1619
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
1720
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
1821
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
22+
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
1923
| compressors:
2024
| NULL
2125
| cipher preference: server
26+
| warnings:
27+
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
2228
| TLSv1.2:
2329
| ciphers:
2430
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
@@ -30,14 +36,18 @@ PORT STATE SERVICE
3036
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
3137
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
3238
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
39+
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
3340
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
41+
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
3442
| compressors:
3543
| NULL
3644
| cipher preference: server
45+
| warnings:
46+
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
3747
| TLSv1.3:
3848
| ciphers:
3949
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
4050
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
4151
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
4252
| cipher preference: server
43-
|_ least strength: A
53+
|_ least strength: C

vendor/github.com/openshift/library-go/pkg/crypto/crypto.go

Lines changed: 6 additions & 13 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/modules.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -204,7 +204,7 @@ github.com/openshift/cluster-kube-descheduler-operator/pkg/apis/descheduler/v1
204204
## explicit; go 1.12
205205
github.com/openshift/custom-resource-status/conditions/v1
206206
github.com/openshift/custom-resource-status/objectreferences/v1
207-
# github.com/openshift/library-go v0.0.0-20250402180609-ce2ba53fb2a4
207+
# github.com/openshift/library-go v0.0.0-20250416130344-ac3ba9eb16a2
208208
## explicit; go 1.23.0
209209
github.com/openshift/library-go/pkg/crypto
210210
# github.com/operator-framework/api v0.30.0

0 commit comments

Comments
 (0)