MAAS

MAAS TLS offers CBC ciphers

Series 3.6
Bug #1995070

Bug #1995070 reported by Nobuto Murata on 2022-10-28

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
MAAS	Status tracked in 3.6
3.4	Won't Fix	Medium	Unassigned
3.5	Won't Fix	Medium	Unassigned
3.6	Triaged	Medium	Unassigned	MAAS 3.6.x

Bug Description

maas: 1:3.2.6-12016-g.19812b4da-0ubuntu1~20.04.1

After enabling TLS in MAAS[1], a security scanner states MAAS has CBC ciphers enabled. Which is not critical but not recommended.

Would be nice to follow Mozilla's intermediate level:
https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1f

[nginx conf]

https://git.launchpad.net/maas/tree/src/maasserver/templates/http/regiond.nginx.conf.template?id=549b3b46aa563e4dcd1aa2586abaf9d550b3c349

$ grep ssl_ /var/lib/maas/http/regiond.nginx.conf
    ssl_certificate /var/lib/maas/http/certs/regiond-proxy.pem;
    ssl_certificate_key /var/lib/maas/http/certs/regiond-proxy-key.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "AES256+EECDH AES256+EDH !aNULL";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

[available ciphers to clients]

Obsoleted CBC ciphers (AES, ARIA etc.) offered

TLSv1.2 (server order)
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLSv1.3 (server order)
x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256

[1] https://maas.io/docs/how-to-enable-tls-encryption

Björn Tillenius (bjornt) on 2022-10-28

Changed in maas:
status:	New → Triaged
importance:	Undecided → Medium
milestone:	none → 3.4.0

Alberto Donato (ack) on 2023-06-29

Changed in maas:
milestone:	3.4.0 → 3.4.x

Anton Troyanov (troyanov) on 2024-03-05

Changed in maas:
milestone:	3.4.x → 3.5.x

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.