ironic-python-agent

TLS 1.3 support in IPA (oslo.service/ eventlet)

Bug #2048520 reported by Adam Rozman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ironic-python-agent
Invalid
Undecided
Unassigned

Bug Description

oslo.service powers WSGI functionality in IPA and in turn oslo.service uses eventlet. With the current dependecy chain there is no possibility to use TLS 1.3 with IPA thus even with IPA and Ironic endpoints are behind a TLS 1.3 capable proxy, outgoing calls from IPA can only establish maximum TLS 1.2 connections.

As the TLS limitation is caused by the combination if multiple layers of dependencies, there are many approaches to solve this issue depending on which dependency layer would be touched.

The aim of this bug ticket is to track the TLS1.3 support status for IPA, but most likely the solution will
be implemented in oslo.service.

Possible solutions:
  - Use a different WSGI provider for IPA instead of oslo.service
  - Use something instead of eventlet in oslo.service
  - Eventlet could be used together with PyOpenSSL https://eventlet.net/doc/ssl.html#pyopenssl
    in oslo.service as OpenSSL supports TLS 1.3

EDIT:

After some additional research to the OpenStack ML archives:
https://<email address hidden>/thread/YO5CZDVAJ6QSF734ALWSGNOQDDAIOXKI/#RZFUTBFTUCSHKVA6SOCWWIXEH3QJHMYT

It has become clear that in the long term eventlet usage would be deprecated:
https://review.opendev.org/c/openstack/governance/+/902585

Given the current governance plans and discussion oslo libraries will be gradually moved to use aiohub (eventlet + asyncio) then eventlet would be gradually phased out in favor of asyncio but as far as I can estimate this process would end at some point in 2026 the earliest and I would like to see TLS 1.3 support in Ironic much earlier.

See original description
Adam Rozman (rozzix)
description: updated
Adam Rozman (rozzix)
description: updated
Adam Rozman (rozzix)
description: updated
Revision history for this message
Dmitry Tantsur (divius) wrote :

> With the current dependecy chain there is no possibility to use TLS 1.3 with IPA

I don't believe this statement is actually true?

$ curl -kvI https://192.168.122.164:9999 2>&1 | grep 'connection using'
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

$ openssl s_client -connect 192.168.122.164:9999 -tls1_3 -brief
Can't use SSL_get_servername
depth=0 CN = box
verify error:num=18:self-signed certificate
depth=0 CN = box
verify error:num=10:certificate has expired
notAfter=Aug 11 09:58:25 2023 GMT
notAfter=Aug 11 09:58:25 2023 GMT
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = box
Hash used: SHA256
Signature type: ECDSA
Verification error: certificate has expired
Server Temp Key: X25519, 253 bits

I think what we discovered is that you cannot limit IPA to *only* support 1.3 because of Python (not only oslo.service) limitations.

Changed in ironic-python-agent:
status: New → Incomplete
Revision history for this message
Adam Rozman (rozzix) wrote :

Yes you are right, I assume based on some followup investigation and discussion, that if we would not specify TLS version then IPA-oslo-ssllib would negotiate the highest possible TLS version.

I think I will close this ticket. I don't have the TLS 1.3 enforcement requirement anymore.

Changed in ironic-python-agent:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.