OpenStack Dashboard Charm

TLSv1 and TLSv1.1 are still enabled

Bug #1886630 reported by Yoshi Kadokawa on 2020-07-07

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Charm Helpers	Fix Released	Undecided	Nobuto Murata
OpenStack Base Layer	Fix Released	Undecided	Nobuto Murata	OpenStack Base Layer 20.10
OpenStack Dashboard Charm	Fix Released	Undecided	Nobuto Murata	OpenStack Dashboard Charm 20.08
OpenStack Keystone Charm	Fix Released	Undecided	Nobuto Murata	OpenStack Keystone Charm 21.04

Bug Description

According to IETF RFC[0] and OpenStack security guide[1],
TLSv1 and TLSv1.1 are not anymore recommended to use for TLS termination.

I'm now deploying OpenStack Queens for a customer, and customer's requirement is to at least meet the configuration from Mozilla's SSL configuration generator with "Intermediate"[2],
which is to disable SSLv3, TLSv1 and TLSv1.1
For openstack-dashboard, SSLProtocol is configured from the template[3], however, for all other API endpoints, it looks like the SSLProtocol is configured in charm-helpers[4], so I believe a change in charm-helpers will be required as well.

[0] https://tools.ietf.org/html/rfc7525#section-3.1
[1] https://docs.openstack.org/security-guide/secure-communication/introduction-to-ssl-and-tls.html#cryptographic-algorithms-cipher-modes-and-protocols
[2] https://ssl-config.mozilla.org/#server=apache&version=2.4.29&config=intermediate&openssl=1.1.1d&guideline=5.4
[3] https://opendev.org/openstack/charm-openstack-dashboard/src/branch/master/templates/default-ssl#L39
[4] https://github.com/juju/charm-helpers/blob/526cc386599ce63f1b8c5cba1bc9eec87f2a13e8/charmhelpers/contrib/openstack/templates/openstack_https_frontend#L9

Nobuto Murata (nobuto) on 2020-07-07

Changed in charm-helpers:
assignee:	nobody → Nobuto Murata (nobuto)

Revision history for this message

Nobuto Murata (nobuto) wrote on 2020-07-07:

https://github.com/juju/charm-helpers/pull/485

Changed in charm-helpers:
status:	New → In Progress

Revision history for this message

Nobuto Murata (nobuto) wrote on 2020-07-07:

Subscribing ~field-medium.

We are failing with security checks by a customer because TLSv1 and TLSv1.1 are still enabled. We need to refresh the list of ciphers and protocols sooner than later. It's a kind of behavioral changes so I don't expect it to be backported to the current stable charms immediately. However, I expect the pull request to be reviewed and merged as necessary and to be propagated into each charm as a part of 20.08 release.
https://github.com/juju/charm-helpers/pull/485

Changed in charm-openstack-dashboard:
assignee:	nobody → Nobuto Murata (nobuto)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-07: Fix proposed to charm-openstack-dashboard (master)

Fix proposed to branch: master
Review: https://review.opendev.org/739722

Changed in charm-openstack-dashboard:
status:	New → In Progress

Revision history for this message

Nobuto Murata (nobuto) wrote on 2020-07-15: Re: TLSv1 and TLSv1.1 is still used

https://github.com/juju/charm-helpers/commit/27d6ceb385e44a0610c1a6aba8e225368c4af384

Changed in charm-helpers:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-15: Fix merged to charm-openstack-dashboard (master)

Reviewed: https://review.opendev.org/739722
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=e462df7401ac144dce2aeb36b4e563980410a920
Submitter: Zuul
Branch: master

commit e462df7401ac144dce2aeb36b4e563980410a920
Author: Nobuto Murata <email address hidden>
Date: Tue Jul 7 21:18:48 2020 +0900

Refresh cipher suites and protocols

    The last update was 2016, and it's time to drop TLSv1 and TLSv1.1 as the
    base configuration recommended by Mozilla.
    https://wiki.mozilla.org/Security/Server_Side_TLS

Follow-up of the following commits:
106f418f13c073b1e7d4c57483f423d5f4d0dd10

Related changes in charm-helpers:
https://github.com/juju/charm-helpers/pull/485

Change-Id: Ib959663634bc648328e5cb35ed3d3622d759412c
Closes-Bug: #1886630

Changed in charm-openstack-dashboard:
status:	In Progress → Fix Committed

Revision history for this message

Nobuto Murata (nobuto) wrote on 2020-07-16: Re: TLSv1 and TLSv1.1 is still used

The reviews have been completed so unsubscribing ~field-medium.

James Page (james-page) on 2020-08-03

Changed in charm-openstack-dashboard:
milestone:	none → 20.08

Alex Kavanagh (ajkavanagh) on 2020-08-14

Changed in charm-openstack-dashboard:
status:	Fix Committed → Fix Released

Revision history for this message

Nobuto Murata (nobuto) wrote on 2020-08-24:

The charm helper change is now a part of stable/20.08 branch and a release of it.
https://github.com/juju/charm-helpers/commit/27d6ceb385e44a0610c1a6aba8e225368c4af384

summary:	- TLSv1 and TLSv1.1 is still used + TLSv1 and TLSv1.1 are still enabled
Changed in charm-helpers:
status:	Fix Committed → Fix Released

Nobuto Murata (nobuto) on 2020-08-24

Changed in layer-openstack:
assignee:	nobody → Nobuto Murata (nobuto)

Revision history for this message

Nobuto Murata (nobuto) wrote on 2020-08-24:

An equivalent change to layer-openstack. It's necessary for OpenStack reactive charms as those do not inherit the template from the charm-helper...
https://review.opendev.org/#/c/747601/

Changed in layer-openstack:
status:	New → In Progress

Revision history for this message

Nobuto Murata (nobuto) wrote on 2020-08-24:

Subscribing ~field-high again. I've realized that the cipher change hasn't been applied to reactive charms as a part of 20.08, then found charm-layer-openstack has to be updated too.

I'm aware a similar escalation has been done as bug 1892450, but I'm focusing to propagating the original charm-helper change to all OpenStack API charms here. Please review and merge the change when appropriate, and backport it to 20.08. At this moment, inconsistent cipher list is used between classic vs reactive OpenStack charms.
https://review.opendev.org/#/c/747601/

Revision history for this message

Nobuto Murata (nobuto) wrote on 2020-08-24:

#10

https://opendev.org/openstack/charm-layer-openstack/commit/0a24820971a2b2d5ed55f2891f83bdede52ba538

Changed in layer-openstack:
status:	In Progress → Fix Committed

Alex Kavanagh (ajkavanagh) on 2020-11-02

Changed in layer-openstack:
milestone:	none → 20.10

Alex Kavanagh (ajkavanagh) on 2020-11-02

Changed in layer-openstack:
status:	Fix Committed → Fix Released

Nobuto Murata (nobuto) on 2021-03-29

Changed in charm-keystone:
assignee:	nobody → Nobuto Murata (nobuto)

Revision history for this message

Nobuto Murata (nobuto) wrote on 2021-03-29:

#11

https://review.opendev.org/c/openstack/charm-keystone/+/783589

Alex Kavanagh (ajkavanagh) on 2021-03-30

Changed in charm-keystone:
status:	New → In Progress

Revision history for this message

Nobuto Murata (nobuto) wrote on 2021-04-09:

#12

https://opendev.org/openstack/charm-keystone/commit/4c7c98ab90b8a36b25c82fd76c9c773546895a3f

Changed in charm-keystone:
status:	In Progress → Fix Committed

Alex Kavanagh (ajkavanagh) on 2021-05-03

Changed in charm-keystone:
milestone:	none → 21.04
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.