OpenStack Charms Deployment Guide

3DES/TDEA/des3 shown in examples, although it has been deprecated in 2017

Bug #1948506 reported by Andrea Ieri
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Charms Deployment Guide
Fix Released
Medium
Peter Matulis
OpenStack Octavia Charm
Fix Released
Medium
Peter Matulis
OpenStack Octavia Charm 22.04

Bug Description

This bug tracker is for errors with the documentation, use the following as a template and remove or add fields as you see fit. Convert [ ] into [x] to check boxes:

- [ ] This doc is inaccurate in this way: ______
- [ ] This is a doc addition request.
- [x] I have a fix to the document that I can paste below including example: input and output.

If you have a troubleshooting or support issue, use the following resources:

 - The mailing list: https://lists.openstack.org
 - IRC: 'openstack' channel on OFTC

-----------------------------------
Release: 0.0.1.dev415 on 2021-10-22 18:36:27
SHA: bdf8817a2e907b5bdbd55c4dcfd0201e1eca67a3
Source: https://opendev.org/openstack/charm-deployment-guide/src/deploy-guide/source/app-octavia.rst
URL: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-octavia.html

NIST deprecated triple DES in 2017[0], but example genrsa commands shown in this page suggest its use.
Though not a security issue per se (it's just a cli example), there is a high risk these commands will make their way into production systems via copy/paste.
I also noted that the openssl 1.1.1j man lists the genrsa subcommand as being deprecated in favor of genpkey.

The examples should therefore probably list something like the following instead:

openssl genpkey -algorithm RSA -out issuing_ca_key.pem -aes-256-ecb -pass pass:$PASSWORD

[0] https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA

Peter Matulis (petermatulis)
Changed in charm-deployment-guide:
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → Peter Matulis (petermatulis)
Revision history for this message
Nobuto Murata (nobuto) wrote :

If that's the case, the charm README may need to be also updated:
https://github.com/openstack/charm-octavia/blob/49b7a2348fdb4b4a2c57afce7531a4780c63ccb9/src/README.md

Peter Matulis (petermatulis)
Changed in charm-octavia:
importance: Undecided → Medium
assignee: nobody → Peter Matulis (petermatulis)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-deployment-guide (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-deployment-guide/+/825033

Peter Matulis (petermatulis)
Changed in charm-octavia:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to charm-octavia (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-octavia/+/825158

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-deployment-guide (master)

Reviewed: https://review.opendev.org/c/openstack/charm-deployment-guide/+/825033
Committed: https://opendev.org/openstack/charm-deployment-guide/commit/57e75a04888442d79dd455bccb44276326f452c1
Submitter: "Zuul (22348)"
Branch: master

commit 57e75a04888442d79dd455bccb44276326f452c1
Author: Peter Matulis <email address hidden>
Date: Mon Jan 17 22:07:55 2022 -0500

    Fix and improve SSL section for Octavia

    The `genrsa` command is superseded by the `genpkey`
    command.

    The CA cert and key were not being referenced by the
    ensuing block of `juju config` commands.

    Improve and streamline wording.

    Closes-Bug: #1948506
    Closes-Bug: #1927664
    Change-Id: I4cc64319bb2ab8bafd54a85b5d8dabd3c5947549

Changed in charm-deployment-guide:
status: In Progress → Fix Released
Revision history for this message
Andrea Ieri (aieri) wrote :

Thank you for the fix! Was the switch from an encrypted key to an unencrypted one intentional, though?

`openssl genpkey -algorithm RSA -pass pass:foobar -out issuing_ca_key.pem` will ignore the password and generate an unencrypted key; you need to specify a cipher if you want to encrypt the key.

# Legacy (encrypted)
openssl genrsa -passout pass:foobar -des3 -out - 2048 2>/dev/null | head -3
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F313F3AC3E2BD922

# Update (unencrypted)
openssl genpkey -algorithm RSA -pass pass:foobar -out - 2>/dev/null | head -1
-----BEGIN PRIVATE KEY-----

# Proposed (encrypted)
openssl genpkey -algorithm RSA -pass pass:foobar -aes-256-cbc -out - 2>/dev/null | head -1
-----BEGIN ENCRYPTED PRIVATE KEY-----

Andrea Ieri (aieri)
Changed in charm-deployment-guide:
status: Fix Released → New
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-deployment-guide (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-deployment-guide/+/825356

Changed in charm-deployment-guide:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-deployment-guide (master)

Reviewed: https://review.opendev.org/c/openstack/charm-deployment-guide/+/825356
Committed: https://opendev.org/openstack/charm-deployment-guide/commit/e830357899027efb5484bed605eb3b4f9296bf37
Submitter: "Zuul (22348)"
Branch: master

commit e830357899027efb5484bed605eb3b4f9296bf37
Author: Peter Matulis <email address hidden>
Date: Wed Jan 19 12:28:31 2022 -0500

    Fix Octavia key creation

    A recent improvement to the Octavia page neglected to
    encrypt the generated private keys. In this commit,
    cipher suite AES-256 was chosen without mode, allowing
    the default, which I believe is CBC.

    Closes-Bug: #1948506
    Change-Id: I999b76b1d80341509c6a2e29a68ccd9dfa8481a8

Changed in charm-deployment-guide:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to charm-octavia (master)

Reviewed: https://review.opendev.org/c/openstack/charm-octavia/+/825158
Committed: https://opendev.org/openstack/charm-octavia/commit/8c95f18ca183e2614043da40a8d67671a4ed3387
Submitter: "Zuul (22348)"
Branch: master

commit 8c95f18ca183e2614043da40a8d67671a4ed3387
Author: Peter Matulis <email address hidden>
Date: Tue Jan 18 13:41:10 2022 -0500

    Sync commands in README with CDG content

    Make the commands in the README the same as those on the
    Octavia page of the CDG.

    Duplicated content will be removed and replaced with a
    link to the CDG during the next review of the README.

    Related-Bug: #1948506
    Change-Id: I5c182d3c985bdd6ca304bfa8c055241e6b6f0f68

Peter Matulis (petermatulis)
Changed in charm-octavia:
status: In Progress → Fix Committed
Alex Kavanagh (ajkavanagh)
Changed in charm-octavia:
milestone: none → 22.04
Alex Kavanagh (ajkavanagh)
Changed in charm-octavia:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.