Member creation specifying TLS_cyphers of TLSv1.3 only on Pool leads to Loadbalancer in Error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
octavia |
In Progress
|
High
|
Tom Weininger |
Bug Description
Hello !
When creating a member in a HTTPS Pool specifying the default tls_ciphers from TLSv1.3 result in the Octavia Loadbalancer in Error and octavia-worker raising an exception.
Steps to reproduce:
1. openstack loadbalancer create --vip-subnet-id 1d357d00-
2. openstack loadbalancer listener create --protocol HTTPS --protocol-port 443 087ad07d-
3. loadbalancer pool create --listener cfbba52d-
4. openstack loadbalancer member create 3323d1b8-
Expected result:
The loadbalancer ends up in ACTIVE provisioning_status
Actual result:
The member fails to create and it ends up in ERROR
Following octavia-worker logs can be found :
https:/
Haproxy config before creating the member :
https:/
haproxy.
https:/
Changed in octavia: | |
status: | Confirmed → In Progress |
Changed in octavia: | |
assignee: | nobody → Tom Weininger (tweining) |
This issue here is you have selected both TLS 1.2 and TLS 1.3 for the pool, but you have provided ciphers that are valid for TLS 1.3 only. To allow TLS 1.2, there must be at least one TLS 1.2 compatible cipher included in the list.
If you add a valid TLS 1.2 cipher to the list, the member will be created properly.
For example, the "Intermediate" compatibility cipher list for TLS 1.2 and 1.3 is:
Cipher suites (TLS 1.3): TLS_AES_ 128_GCM_ SHA256: TLS_AES_ 256_GCM_ SHA384: TLS_CHACHA20_ POLY1305_ SHA256 AES128- GCM-SHA256: ECDHE-RSA- AES128- GCM-SHA256: ECDHE-ECDSA- AES256- GCM-SHA384: ECDHE-RSA- AES256- GCM-SHA384: ECDHE-ECDSA- CHACHA20- POLY1305: ECDHE-RSA- CHACHA20- POLY1305: DHE-RSA- AES128- GCM-SHA256: DHE-RSA- AES256- GCM-SHA384: DHE-RSA- CHACHA20- POLY1305
Cipher suites (TLS 1.2): ECDHE-ECDSA-
If you only want to use "TLS_AES_ 128_GCM_ SHA256: TLS_AES_ 256_GCM_ SHA384: TLS_CHACHA20_ POLY1305_ SHA256" as the only valid ciphers, you must only enable TLS 1.3.
This website can be a helpful reference for understanding valid ciphers for each protocol version: /wiki.mozilla. org/Security/ Server_ Side_TLS# Recommended_ configurations
https:/