allow TLSv1.3 in ZK for FIPS client connection

[showuon]

Type of change

Select the type of your PR

• Bugfix

Description

In RHEL 9, there is a new policy forced in FIPS mode:
The Extended Master Secret TLS Extension is now enforced on FIPS-enabled systems

The result is that:
Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9.

This is the case we saw in the test.

So, to allow the client connect to FIPS server, we need to enable TLSv1.3 in zookeeper.

In v3.8.x, it only enables TLSv1.2 by default. We need to enable it manually. To enable TLSv1.3 in ZK, we need to set some configurations. You can see the default value of ssl.protocol and ssl.quorum.protocol is TLSv1.2. We need to update them.

For the ssl.ciphersuites, we need to add TLSv13Ciphers manually, too. Compared v3.8.4 with master branch, we can see the TLSv13Ciphers is missed in v3.8.4 branch. I added them into the config, too.

With this change, the SecurityST#testCertificates can pass in FIPS enabled cluster.

Checklist

Please go through this checklist and make sure all applicable tasks have been done

• Write tests
• [V] Make sure all tests pass
• Update documentation
• Check RBAC rights for Kubernetes / OpenShift roles
• Try your changes from Pod inside your Kubernetes and OpenShift cluster, not just locally
• Reference relevant issue(s) and close them after merging
• Update CHANGELOG.md
• Supply screenshots for visual changes, such as Grafana dashboards

[showuon]

The result of
getSupportedCiphers(getGCMCiphers(), getCBCCiphers(), getTLSv13Ciphers()) in this line.

[scholzj]

Is this related to the system test issue @im-konge had? Does this really related to UBI9 (versus RHEL9)? I think we need to consider how many things this might break.

[scholzj]

Suggested change

ssl.quorum.ciphersuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256

ssl.quorum.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256

[scholzj]

Also, this is the wrong place to put this as these fields are user configurable. If we really want this, I think it should be handled in the operator.

[showuon]

Also, this is the wrong place to put this as these fields are user configurable. If we really want this, I think it should be handled in the operator.

OK, @im-konge , could you follow up with this PR? You can take it over since I'm going to log off and it is blocking some testing. Thank you.