Landscape Server

No configuration option to require SSL on database connections

Bug #2064756 reported by Kyle Metscher
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Landscape Server
Status tracked in Beta
23.03
Fix Released
Undecided
Spencer Runde
Landscape Server 23.03+18.2
24.04
Fix Released
Undecided
Spencer Runde
Landscape Server 24.04.4
24.10
Fix Committed
Undecided
Spencer Runde
Landscape Server 24.10
Beta
Fix Released
Medium
Spencer Runde
Landscape Server 24.10-beta.1

Bug Description

Existing options for database store configuration in service.conf do not include an option for making SSL negotiation mandatory. As a result, services can open non-SSL connections to the PostgreSQL database, which raises compliance concerns for environments where in-flight encryption is required across the entire network.

To replicate, deploy Landscape manually with at least two hosts to separate the application server from the database. Configure info-level logging on the PostgreSQL database cluster and observe non-SSL connections being made in the logs. This can be made more obvious by editing rules in pg_hba.conf to require hostssl connections.

Kyle Metscher (kmetscher)
information type: Proprietary → Public
Spencer Runde (spencerrunde)
Changed in landscape:
assignee: nobody → Spencer Runde (spencerrunde)
Spencer Runde (spencerrunde)
Changed in landscape:
importance: Undecided → Medium
Spencer Runde (spencerrunde)
Changed in landscape:
status: New → In Progress
Revision history for this message
Spencer Runde (spencerrunde) wrote :

Development on this is mostly finished. The configuration option will only affect connections made by the package-search service. The Python services (i.e., all the other ones) will continue to use the default sslmode=prefer.

Revision history for this message
Mike Fry (mikefrygm) wrote :

I am curious why apply the change to only the one service?

Revision history for this message
Spencer Runde (spencerrunde) wrote :

Our dependencies for the Python services don't support passing an sslmode option when connecting to Postgres unfortunately.

Spencer Runde (spencerrunde)
Changed in landscape:
status: In Progress → Fix Committed
Revision history for this message
Mike Fry (mikefrygm) wrote :

Does this mean the fix is installable?

Revision history for this message
Spencer Runde (spencerrunde) wrote :

Hi Mike, "Fix Committed" means that I have included the fix in our main branch. I am working on including this fix in the 23.03 PPA, at which point I will mark the bug as "Fix Released".

Revision history for this message
Mike Fry (mikefrygm) wrote :

Thank you!

Revision history for this message
Spencer Runde (spencerrunde) wrote (last edit ):

This fix has been released for focal and jammy for version 23.03 in landscape-server 23.03+18.2-0landscape0. Version 23.10 will not get this fix as it is out-of-support.

Changed in landscape:
status: Fix Committed → Fix Released
Revision history for this message
Mike Fry (mikefrygm) wrote :

What repo will this update be available on?

Revision history for this message
Spencer Runde (spencerrunde) wrote :

Currently the fix is out in the self-hosted-23.03 ppa: https://launchpad.net/~landscape/+archive/ubuntu/self-hosted-23.03

The self-hosted-24.04 ppa will get this fix on our next release (likely next week).

Revision history for this message
Mike Fry (mikefrygm) wrote :

So this is not upgradable with apt upgrade, it requires apt install landscape-server?

Revision history for this message
Mike Fry (mikefrygm) wrote :

Also, I am not able to get the fix from the self-hosted-23.03 ppa: https://launchpad.net/~landscape/+archive/ubuntu/self-hosted-23.03

/var/www/landscape/self-hosted-23.03/ubuntu/pool/main/l/landscape-server# ll
total 23520
drwxr-xr-x 2 apt-mirror apt-mirror 4096 Feb 5 12:30 ./
drwxr-xr-x 5 apt-mirror apt-mirror 79 Nov 21 2023 ../
-rwxr-xr-x 1 apt-mirror apt-mirror 12272 Sep 22 2023 landscape-hosted_23.03+17-0landscape0_amd64.deb*
-rwxr-xr-x 1 apt-mirror apt-mirror 12340 Jan 17 19:01 landscape-hosted_23.03+18-0landscape0_amd64.deb*
-rwxr-xr-x 1 apt-mirror apt-mirror 14536 Sep 22 2023 landscape-server-quickstart_23.03+17-0landscape0_amd64.deb*
-rwxr-xr-x 1 apt-mirror apt-mirror 14592 Jan 17 19:01 landscape-server-quickstart_23.03+18-0landscape0_amd64.deb*
-rwxr-xr-x 1 apt-mirror apt-mirror 12008400 Sep 22 2023 landscape-server_23.03+17-0landscape0_amd64.deb*
-rwxr-xr-x 1 apt-mirror apt-mirror 12008572 Jan 17 19:01 landscape-server_23.03+18-0landscape0_amd64.deb*

after running apt-mirror

Contents of /etc/apt/mirror.list

############# config ##################
#
#set base_path /var/www/apt-mirror
set base_path /media/landscape/apt-mirror
#
# set mirror_path $base_path/mirror
# set skel_path $base_path/skel
# set var_path $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch <running host architecture>
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads 20
set _tilde 0
set auth_no_challenge 1
#
############# end config ##############

# Landscape

#deb http://ppa.launchpad.net/landscape/17.03/ubuntu xenial main
#deb http://ppa.launchpad.net/landscape/18.03/ubuntu xenial main
#deb http://ppa.launchpad.net/landscape/18.03/ubuntu bionic main
#deb http://ppa.launchpad.net/landscape/19.01/ubuntu bionic main
#deb http://ppa.launchpad.net/landscape/19.10/ubuntu bionic main
deb http://ppa.launchpad.net/landscape/self-hosted-23.03/ubuntu jammy main
#deb http://ppa.launchpad.net/landscape/self-hosted-24.04/ubuntu jammy main

clean http://archive.ubuntu.com/ubuntu

Revision history for this message
Spencer Runde (spencerrunde) wrote :

Hi Mike, this seems like it might be more of an issue with your mirrors. You may have better luck opening a support ticket since they'll be most knowledgeable about the particulars of your setup. Once you have the newest version available in your sources, you can `apt upgrade landscape-server` to get the newest version.

You'll also want to include an additional line in the [package-search] section of your service.conf to enable the fix:

```
[package-search]
...
sslmode = require
```

Or whichever sslmode you'd like. You can get a full list with explanations here: https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS

Revision history for this message
Mike Fry (mikefrygm) wrote :

I have the patch installed and updated the configureation with the new parameters. All services restarted successfully. However, with a computer selected, I can't access any package information. I receive:

System error
An unexpected error has occurred. This event has been logged.

We apologize for the inconvenience.

Please contact Canonical Support for further assistance.

OOPS ID: ['OOPS-1cea1e640e814c2cdc01db0bd32f82ed']

What are the next steps needed to resolve this issue?

Revision history for this message
Spencer Runde (spencerrunde) wrote :

Hi Mike,

I'd recommend opening a support ticket to address that.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.