TLS 1.3 support in IPA (oslo.service/ eventlet)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ironic-python-agent |
Invalid
|
Undecided
|
Unassigned |
Bug Description
oslo.service powers WSGI functionality in IPA and in turn oslo.service uses eventlet. With the current dependecy chain there is no possibility to use TLS 1.3 with IPA thus even with IPA and Ironic endpoints are behind a TLS 1.3 capable proxy, outgoing calls from IPA can only establish maximum TLS 1.2 connections.
As the TLS limitation is caused by the combination if multiple layers of dependencies, there are many approaches to solve this issue depending on which dependency layer would be touched.
The aim of this bug ticket is to track the TLS1.3 support status for IPA, but most likely the solution will
be implemented in oslo.service.
Possible solutions:
- Use a different WSGI provider for IPA instead of oslo.service
- Use something instead of eventlet in oslo.service
- Eventlet could be used together with PyOpenSSL https:/
in oslo.service as OpenSSL supports TLS 1.3
EDIT:
After some additional research to the OpenStack ML archives:
https://<email address hidden>
It has become clear that in the long term eventlet usage would be deprecated:
https:/
Given the current governance plans and discussion oslo libraries will be gradually moved to use aiohub (eventlet + asyncio) then eventlet would be gradually phased out in favor of asyncio but as far as I can estimate this process would end at some point in 2026 the earliest and I would like to see TLS 1.3 support in Ironic much earlier.
> With the current dependecy chain there is no possibility to use TLS 1.3 with IPA
I don't believe this statement is actually true?
$ curl -kvI https:/ /192.168. 122.164: 9999 2>&1 | grep 'connection using' 256_GCM_ SHA384
* SSL connection using TLSv1.3 / TLS_AES_
$ openssl s_client -connect 192.168. 122.164: 9999 -tls1_3 -brief 18:self- signed certificate 10:certificate has expired 256_GCM_ SHA384
Can't use SSL_get_servername
depth=0 CN = box
verify error:num=
depth=0 CN = box
verify error:num=
notAfter=Aug 11 09:58:25 2023 GMT
notAfter=Aug 11 09:58:25 2023 GMT
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_
Peer certificate: CN = box
Hash used: SHA256
Signature type: ECDSA
Verification error: certificate has expired
Server Temp Key: X25519, 253 bits
I think what we discovered is that you cannot limit IPA to *only* support 1.3 because of Python (not only oslo.service) limitations.