kolla-ansible

harden haproxy TLS config according to mozilla

  1. Series yoga
  2. Bug #2060787
Bug #2060787 reported by Sven Kieske
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
In Progress
Medium
Sven Kieske
Antelope
Confirmed
Medium
Unassigned
Bobcat
Confirmed
Medium
Unassigned
Caracal
In Progress
Medium
Sven Kieske
Yoga
Confirmed
Medium
Unassigned
Zed
Confirmed
Medium
Unassigned

Bug Description

Hi,

when testing openstack TLS endpoints using `sslyze` I get the following error:

 COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
 --------------------------------------------

    Checking results against Mozilla's "MozillaTlsConfigurationEnum.INTERMEDIATE" configuration. See https://ssl-config.mozilla.org/ for more details.

   example.com:443: FAILED - Not compliant.
        * ciphers: Cipher suites {'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256'} are supported, but should be rejected.

I prepared a fix to harden the TLS config.

kind regards
Sven

Sven Kieske (s-kieske)
Changed in kolla-ansible:
assignee: nobody → Sven Kieske (s-kieske)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/915403

Changed in kolla-ansible:
status: New → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.