kubevirt · tiraboschi · Apr 22, 2025
diff --git a/cmd/hyperconverged-cluster-webhook/main.go b/cmd/hyperconverged-cluster-webhook/main.go
@@ -183,31 +183,12 @@ func main() {
 }
 
 func MutateTLSConfig(cfg *tls.Config) {
-	var ciphersTLS13 = map[string]uint16{
-		"TLS_AES_128_GCM_SHA256":       tls.TLS_AES_128_GCM_SHA256,
-		"TLS_AES_256_GCM_SHA384":       tls.TLS_AES_256_GCM_SHA384,
-		"TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256,
-	}
-
 	// This callback executes on each client call returning a new config to be used
 	// please be aware that the APIServer is using http keepalive so this is going to
 	// be executed only after a while for fresh connections and not on existing ones
 	cfg.GetConfigForClient = func(_ *tls.ClientHelloInfo) (*tls.Config, error) {
 		cipherNames, minTypedTLSVersion := validator.SelectCipherSuitesAndMinTLSVersion()
-
-		// TODO: workaround: TLSv1.3 ciphers are now enabled on openshift/library-go
-		// but on the other side crypto.CipherSuitesOrDie is still failing with an
-		// explict error when it encounters the name of a TLSv1.3 cipher.
-		// Remove the workaround once we can consume https://github.com/openshift/library-go/pull/1956
-		cipherNamesIANAC := crypto.OpenSSLToIANACipherSuites(cipherNames)
-		cipherNamesFilteredNoTLS13 := []string{}
-		for _, cipherName := range cipherNamesIANAC {
-			if _, ok := ciphersTLS13[cipherName]; !ok {
-				cipherNamesFilteredNoTLS13 = append(cipherNamesFilteredNoTLS13, cipherName)
-			}
-		}
-
-		cfg.CipherSuites = crypto.CipherSuitesOrDie(crypto.OpenSSLToIANACipherSuites(cipherNamesFilteredNoTLS13))
+		cfg.CipherSuites = crypto.CipherSuitesOrDie(crypto.OpenSSLToIANACipherSuites(cipherNames))
 		cfg.MinVersion = crypto.TLSVersionOrDie(string(minTypedTLSVersion))
 		return cfg, nil
 	}

diff --git a/go.mod b/go.mod
@@ -19,7 +19,7 @@ require (
 	github.com/openshift/api v3.9.1-0.20190517100836-d5b34b957e91+incompatible
 	github.com/openshift/cluster-kube-descheduler-operator v0.0.0-20250410114548-481d56a6c34e
 	github.com/openshift/custom-resource-status v1.1.2
-	github.com/openshift/library-go v0.0.0-20250402180609-ce2ba53fb2a4
+	github.com/openshift/library-go v0.0.0-20250416130344-ac3ba9eb16a2
 	github.com/operator-framework/api v0.30.0
 	github.com/operator-framework/operator-lib v0.17.0
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.81.0

diff --git a/go.sum b/go.sum
@@ -240,8 +240,8 @@ github.com/openshift/cluster-kube-descheduler-operator v0.0.0-20250410114548-481
 github.com/openshift/cluster-kube-descheduler-operator v0.0.0-20250410114548-481d56a6c34e/go.mod h1:wl2qvwuZU+YWNingOkAzabrH5BJwd4OhUH5FAtOG00U=
 github.com/openshift/custom-resource-status v1.1.2 h1:C3DL44LEbvlbItfd8mT5jWrqPfHnSOQoQf/sypqA6A4=
 github.com/openshift/custom-resource-status v1.1.2/go.mod h1:DB/Mf2oTeiAmVVX1gN+NEqweonAPY0TKUwADizj8+ZA=
-github.com/openshift/library-go v0.0.0-20250402180609-ce2ba53fb2a4 h1:MDnTCGqFUULZ4+0fr0sQYlB80yTun8nEZ062azvFSCk=
-github.com/openshift/library-go v0.0.0-20250402180609-ce2ba53fb2a4/go.mod h1:DAa3BGl0CFtkfJn/g5rU8kDDTErfMVA/QlFm4cvU+MI=
+github.com/openshift/library-go v0.0.0-20250416130344-ac3ba9eb16a2 h1:2J99k2da7QBIa0i3H/MymyDHo5cHc5k5JG0xbrsGIok=
+github.com/openshift/library-go v0.0.0-20250416130344-ac3ba9eb16a2/go.mod h1:DAa3BGl0CFtkfJn/g5rU8kDDTErfMVA/QlFm4cvU+MI=
 github.com/operator-framework/api v0.30.0 h1:44hCmGnEnZk/Miol5o44dhSldNH0EToQUG7vZTl29kk=
 github.com/operator-framework/api v0.30.0/go.mod h1:FYxAPhjtlXSAty/fbn5YJnFagt6SpJZJgFNNbvDe5W0=
 github.com/operator-framework/operator-lib v0.17.0 h1:cbz51wZ9+GpWR1ZYP4CSKSSBxDlWxmmnseaHVZZjZt4=

diff --git a/hack/tlsprofiles/custom.expected b/hack/tlsprofiles/custom.expected
@@ -4,15 +4,8 @@ PORT     STATE SERVICE
 |   TLSv1.2: 
 |     ciphers: 
 |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
-|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
-|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
-|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
-|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
-|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
 |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
-|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
-|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
-|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
+|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
 |     compressors: 
 |       NULL
 |     cipher preference: server

diff --git a/hack/tlsprofiles/intermediate.expected b/hack/tlsprofiles/intermediate.expected
@@ -4,18 +4,11 @@ PORT     STATE SERVICE
 |   TLSv1.2: 
 |     ciphers: 
 |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
-|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
 |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
-|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
-|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
-|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
-|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
-|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
-|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
-|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
+|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
 |     compressors: 
 |       NULL
-|     cipher preference: server
+|     cipher preference: client
 |   TLSv1.3: 
 |     ciphers: 
 |       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A

diff --git a/hack/tlsprofiles/intermediate.expected.fips b/hack/tlsprofiles/intermediate.expected.fips
@@ -5,6 +5,15 @@ PORT     STATE SERVICE
 |     ciphers: 
 |       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
 |       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
+|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
+|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
+|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
+|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
+|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
+|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
+|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
+|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
+|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
 |       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
 |       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
 |       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

diff --git a/hack/tlsprofiles/old.expected b/hack/tlsprofiles/old.expected
@@ -7,18 +7,24 @@ PORT     STATE SERVICE
 |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
 |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
 |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
+|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
 |     compressors: 
 |       NULL
 |     cipher preference: server
+|     warnings: 
+|       64-bit block cipher 3DES vulnerable to SWEET32 attack
 |   TLSv1.1: 
 |     ciphers: 
 |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
 |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
 |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
 |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
+|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
 |     compressors: 
 |       NULL
 |     cipher preference: server
+|     warnings: 
+|       64-bit block cipher 3DES vulnerable to SWEET32 attack
 |   TLSv1.2: 
 |     ciphers: 
 |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
@@ -30,14 +36,18 @@ PORT     STATE SERVICE
 |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
 |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
 |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
+|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
 |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
+|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
 |     compressors: 
 |       NULL
 |     cipher preference: server
+|     warnings: 
+|       64-bit block cipher 3DES vulnerable to SWEET32 attack
 |   TLSv1.3: 
 |     ciphers: 
 |       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
 |       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
 |       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
 |     cipher preference: server
-|_  least strength: A
+|_  least strength: C
diff --git a/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go b/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -204,7 +204,7 @@ github.com/openshift/cluster-kube-descheduler-operator/pkg/apis/descheduler/v1
 ## explicit; go 1.12
 github.com/openshift/custom-resource-status/conditions/v1
 github.com/openshift/custom-resource-status/objectreferences/v1
-# github.com/openshift/library-go v0.0.0-20250402180609-ce2ba53fb2a4
+# github.com/openshift/library-go v0.0.0-20250416130344-ac3ba9eb16a2
 ## explicit; go 1.23.0
 github.com/openshift/library-go/pkg/crypto
 # github.com/operator-framework/api v0.30.0