TLSv1 and TLSv1.1 are still enabled

Bug #1886630 reported by Yoshi Kadokawa on 2020-07-07
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Charm Helpers
Undecided
Nobuto Murata
OpenStack Base Layer
Undecided
Nobuto Murata
OpenStack keystone charm
Undecided
Nobuto Murata
OpenStack openstack-dashboard charm
Undecided
Nobuto Murata

Bug Description

According to IETF RFC[0] and OpenStack security guide[1],
TLSv1 and TLSv1.1 are not anymore recommended to use for TLS termination.

I'm now deploying OpenStack Queens for a customer, and customer's requirement is to at least meet the configuration from Mozilla's SSL configuration generator with "Intermediate"[2],
which is to disable SSLv3, TLSv1 and TLSv1.1
For openstack-dashboard, SSLProtocol is configured from the template[3], however, for all other API endpoints, it looks like the SSLProtocol is configured in charm-helpers[4], so I believe a change in charm-helpers will be required as well.

[0] https://tools.ietf.org/html/rfc7525#section-3.1
[1] https://docs.openstack.org/security-guide/secure-communication/introduction-to-ssl-and-tls.html#cryptographic-algorithms-cipher-modes-and-protocols
[2] https://ssl-config.mozilla.org/#server=apache&version=2.4.29&config=intermediate&openssl=1.1.1d&guideline=5.4
[3] https://opendev.org/openstack/charm-openstack-dashboard/src/branch/master/templates/default-ssl#L39
[4] https://github.com/juju/charm-helpers/blob/526cc386599ce63f1b8c5cba1bc9eec87f2a13e8/charmhelpers/contrib/openstack/templates/openstack_https_frontend#L9

Nobuto Murata (nobuto) on 2020-07-07
Changed in charm-helpers:
assignee: nobody → Nobuto Murata (nobuto)
Nobuto Murata (nobuto) wrote :
Changed in charm-helpers:
status: New → In Progress
Nobuto Murata (nobuto) wrote :

Subscribing ~field-medium.

We are failing with security checks by a customer because TLSv1 and TLSv1.1 are still enabled. We need to refresh the list of ciphers and protocols sooner than later. It's a kind of behavioral changes so I don't expect it to be backported to the current stable charms immediately. However, I expect the pull request to be reviewed and merged as necessary and to be propagated into each charm as a part of 20.08 release.
https://github.com/juju/charm-helpers/pull/485

Changed in charm-openstack-dashboard:
assignee: nobody → Nobuto Murata (nobuto)

Fix proposed to branch: master
Review: https://review.opendev.org/739722

Changed in charm-openstack-dashboard:
status: New → In Progress

Reviewed: https://review.opendev.org/739722
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=e462df7401ac144dce2aeb36b4e563980410a920
Submitter: Zuul
Branch: master

commit e462df7401ac144dce2aeb36b4e563980410a920
Author: Nobuto Murata <email address hidden>
Date: Tue Jul 7 21:18:48 2020 +0900

    Refresh cipher suites and protocols

    The last update was 2016, and it's time to drop TLSv1 and TLSv1.1 as the
    base configuration recommended by Mozilla.
    https://wiki.mozilla.org/Security/Server_Side_TLS

    Follow-up of the following commits:
    106f418f13c073b1e7d4c57483f423d5f4d0dd10

    Related changes in charm-helpers:
    https://github.com/juju/charm-helpers/pull/485

    Change-Id: Ib959663634bc648328e5cb35ed3d3622d759412c
    Closes-Bug: #1886630

Changed in charm-openstack-dashboard:
status: In Progress → Fix Committed

The reviews have been completed so unsubscribing ~field-medium.

James Page (james-page) on 2020-08-03
Changed in charm-openstack-dashboard:
milestone: none → 20.08
Changed in charm-openstack-dashboard:
status: Fix Committed → Fix Released
Nobuto Murata (nobuto) wrote :

The charm helper change is now a part of stable/20.08 branch and a release of it.
https://github.com/juju/charm-helpers/commit/27d6ceb385e44a0610c1a6aba8e225368c4af384

summary: - TLSv1 and TLSv1.1 is still used
+ TLSv1 and TLSv1.1 are still enabled
Changed in charm-helpers:
status: Fix Committed → Fix Released
Nobuto Murata (nobuto) on 2020-08-24
Changed in layer-openstack:
assignee: nobody → Nobuto Murata (nobuto)
Nobuto Murata (nobuto) wrote :

An equivalent change to layer-openstack. It's necessary for OpenStack reactive charms as those do not inherit the template from the charm-helper...
https://review.opendev.org/#/c/747601/

Changed in layer-openstack:
status: New → In Progress
Nobuto Murata (nobuto) wrote :

Subscribing ~field-high again. I've realized that the cipher change hasn't been applied to reactive charms as a part of 20.08, then found charm-layer-openstack has to be updated too.

I'm aware a similar escalation has been done as bug 1892450, but I'm focusing to propagating the original charm-helper change to all OpenStack API charms here. Please review and merge the change when appropriate, and backport it to 20.08. At this moment, inconsistent cipher list is used between classic vs reactive OpenStack charms.
https://review.opendev.org/#/c/747601/

Nobuto Murata (nobuto) wrote :
Changed in layer-openstack:
status: In Progress → Fix Committed
Changed in layer-openstack:
milestone: none → 20.10
Changed in layer-openstack:
status: Fix Committed → Fix Released
Nobuto Murata (nobuto) on 2021-03-29
Changed in charm-keystone:
assignee: nobody → Nobuto Murata (nobuto)
Changed in charm-keystone:
status: New → In Progress
Nobuto Murata (nobuto) wrote :
Changed in charm-keystone:
status: In Progress → Fix Committed
Changed in charm-keystone:
milestone: none → 21.04
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers