From aa7fa09365fea651b655e1804ca17a8795b4c633 Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Fri, 26 Jul 2024 11:05:31 +0200
Subject: [PATCH] Update TLS v1.3 ciphers for rule

The following ciphers are all supported with TLS v1.3, but we weren't
checking for them in the OpenShift cipher configuration:

  - TLS_AES_128_GCM_SHA256
  - TLS_AES_256_GCM_SHA384
  - TLS_CHACHA20_POLY1305_SHA256

This commit updates the regular expression in the rule to check for
those ciphers so the check doesn't fail if OpenShift is using them.
---
 .../api-server/var_apiserver_tls_cipher_suites.var       | 9 +++++++--
 .../api-server/var_apiserver_tls_cipher_suites_regex.var | 4 ++--
 .../openshift/etcd/var_etcd_tls_cipher_suites_regex.var  | 6 +++---
 .../kubelet/var_ingresscontroller_tls_cipher_suites.var  | 4 ++--
 .../openshift/kubelet/var_kubelet_tls_cipher_suites.var  | 7 ++-----
 .../kubelet/var_kubelet_tls_cipher_suites_regex.var      | 4 ++--
 6 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var b/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var
index ef62d245686..bc89cba91af 100644
--- a/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var
+++ b/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var
@@ -16,10 +16,15 @@ options:
         "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"'
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "TLS_AES_128_GCM_SHA256",
+        "TLS_AES_256_GCM_SHA384",
+        "TLS_CHACHA20_POLY1305_SHA256"'
 
     # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
     2024-01-BSI-TR-02102-2: '"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"'
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "TLS_AES_128_GCM_SHA256",
+        "TLS_AES_256_GCM_SHA384"'
diff --git a/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var b/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var
index cd6ae6c7697..a4cb7379275 100644
--- a/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var
+++ b/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var
@@ -11,7 +11,7 @@ operator: equals
 interactive: false
 
 options:
-    default: "^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)$"
+    default: "^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$"
 
     # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
-    2024-01-BSI-TR-02102-2: "^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)$"
+    2024-01-BSI-TR-02102-2: "^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384)$"
diff --git a/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var b/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var
index ac5dd8cae7e..c8faf9af8e0 100644
--- a/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var
+++ b/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var
@@ -12,9 +12,9 @@ operator: equals
 interactive: false
 
 options:
-    default: "^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)$"
+    default: "^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$"
 
-    pcidss: "^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)$"
+    pcidss: "^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$"
 
     # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
-    2024-01-BSI-TR-02102-2: "^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)$"
+    2024-01-BSI-TR-02102-2: "^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384)$"
diff --git a/applications/openshift/kubelet/var_ingresscontroller_tls_cipher_suites.var b/applications/openshift/kubelet/var_ingresscontroller_tls_cipher_suites.var
index 71df03f61b9..dd29a1b0555 100644
--- a/applications/openshift/kubelet/var_ingresscontroller_tls_cipher_suites.var
+++ b/applications/openshift/kubelet/var_ingresscontroller_tls_cipher_suites.var
@@ -11,7 +11,7 @@ operator: equals
 interactive: false
 
 options:
-    default: '"ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-CHACHA20-POLY1305","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384"'
+    default: '"ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES256-GCM-SHA384","AES256-GCM-SHA384","AES128-GCM-SHA256","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384"'
 
     # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
-    2024-01-BSI-TR-02102-2: '"ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384"'
+    2024-01-BSI-TR-02102-2: '"ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES256-GCM-SHA384","AES256-GCM-SHA384","AES128-GCM-SHA256","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384"'
diff --git a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var
index 439a33b96b6..81186f907a4 100644
--- a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var
+++ b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var
@@ -11,10 +11,7 @@ operator: equals
 interactive: false
 
 options:
-  default: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+  default: '"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256"'
 
   # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
-  2024-01-BSI-TR-02102-2: '"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"'
+  2024-01-BSI-TR-02102-2: '"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384"'
diff --git a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var
index 4634d5bddc7..11448dafc59 100644
--- a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var
+++ b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var
@@ -11,7 +11,7 @@ operator: equals
 interactive: false
 
 options:
-  default: "^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)$"
+  default: "^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$"
 
   # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
-  2024-01-BSI-TR-02102-2: "^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)$"
+  2024-01-BSI-TR-02102-2: "^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384)$"