Fuel for OpenStack

HAproxy 2048bit ssl fix

Bug #1514904 reported by Ferenc Hernadi on 2015-11-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Released	Medium	Ferenc Hernadi	Fuel for OpenStack 8.0
	7.0.x	Won't Fix	Medium	Denis Puchkin	Fuel for OpenStack 7.0-updates

Bug Description

When we use our ssl cert We got the following error message from the haproxy
"[WARNING] 305/124602 (31274) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear."

I think set the necessary "tune.ssl.default-dh-param 2048" isn't a big deal.
If you agree with me please merge my change request.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-10: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/243704

Changed in fuel:
assignee:	nobody → Ferenc Hernadi (ferenc-hernadi)
status:	New → In Progress

Artem Roma (aroma-x) on 2015-11-11

Changed in fuel:
importance:	Undecided → Medium
milestone:	none → 8.0
tags:	added: area-library

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-12: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/243704
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=3086e26102f5ccbb0536ef5c8bda78cd06beecdc
Submitter: Jenkins
Branch: master

commit 3086e26102f5ccbb0536ef5c8bda78cd06beecdc
Author: Ferenc Hernadi <email address hidden>
Date: Tue Nov 10 17:17:22 2015 +0100

Add support for 2048bit ssl certificate to HAproxy

    In the current HAproxy configuration support only 1024bit ssl
    certificate without warnings.
    Modify the configuration to support 2048bit certificate.

Change-Id: I87dfd4c7ea56b5f432d324d02c63ee020a5f2a7f
Closes-bug: #1514904

Changed in fuel:
status:	In Progress → Fix Committed

Vladimir Kuklin (vkuklin) on 2015-11-13

tags:

added: customer-found

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-21: Fix proposed to fuel-library (stable/7.0)

Fix proposed to branch: stable/7.0
Review: https://review.openstack.org/259984

Revision history for this message

Denis Puchkin (dpuchkin) wrote on 2015-12-22:

Won't Fix for 7.0 because of Medium importance

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-25: Change abandoned on fuel-library (stable/7.0)

Change abandoned by Denis Puchkin (<email address hidden>) on branch: stable/7.0
Review: https://review.openstack.org/259984

Vitaly Sedelnik (vsedelnik) on 2016-02-12

tags:

added: wontfix-low

Mikhail Samoylov (msamoylov) on 2016-02-18

tags:

added: on-verification

Revision history for this message

Mikhail Samoylov (msamoylov) wrote on 2016-02-19:

Verified in fuel version:
[root@nailgun ~]# cat /etc/fuel/version.yaml
VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "8.0"
  api: "1.0"
  build_number: "570"
  build_id: "570"
  fuel-nailgun_sha: "558ca91a854cf29e395940c232911ffb851899c1"
  python-fuelclient_sha: "4f234669cfe88a9406f4e438b1e1f74f1ef484a5"
  fuel-agent_sha: "658be72c4b42d3e1436b86ac4567ab914bfb451b"
  fuel-nailgun-agent_sha: "b2bb466fd5bd92da614cdbd819d6999c510ebfb1"
  astute_sha: "b81577a5b7857c4be8748492bae1dec2fa89b446"
  fuel-library_sha: "c2a335b5b725f1b994f78d4c78723d29fa44685a"
  fuel-ostf_sha: "3bc76a63a9e7d195ff34eadc29552f4235fa6c52"
  fuel-mirror_sha: "fb45b80d7bee5899d931f926e5c9512e2b442749"
  fuelmenu_sha: "78ffc73065a9674b707c081d128cb7eea611474f"
  shotgun_sha: "63645dea384a37dde5c01d4f8905566978e5d906"
  network-checker_sha: "a43cf96cd9532f10794dce736350bf5bed350e9d"
  fuel-upgrade_sha: "616a7490ec7199f69759e97e42f9b97dfc87e85b"
  fuelmain_sha: "d605bcbabf315382d56d0ce8143458be67c53434

Steps:
1. Deploy cluster with 1 controller, 1 compute + cinder
2. Check haproxy config have param $haproxy_ssl_default_dh_param = '2048'
cat /etc/haproxy/haproxy.cfg
...
tune.ssl.default-dh-param 2048
3. Restart haproxy
Check output for restart. It must be without any errors about dh group length.
root@node-1:~# service haproxy restart
* Restarting haproxy haproxy [ALERT] 049/135745 (32584) : Starting proxy nova-metadata-api: cannot bind socket [10.109.1.3:8775]

tags:	removed: on-verification
Changed in fuel:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.