OpenStack Compute (nova)

TLS ciphers/protocols are not configurable for console proxies

Bug #1842149 reported by Nathan Kinder
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Wishlist
Douglas Mendizábal

Bug Description

Description
===========

The console proxies (VNC, SPICE, etc) currently don't allow the allowed TLS ciphers and protocol versions to be configurable. This results in the defaults being used from the underlying system (or even compiled defaults in OpenSSL), which may not be secure enough for many deployments.

For example, many commonly used distributions have compiled-in OpenSSL library defaults that allow things like SSLv3 and TLSv1.0 due to backwards compatibility concerns. This is often fine, as applications are expected to override the defaults if they want to be more secure, but we can't do that currently in nova.

Steps to reproduce
==================

- Deploy nova and configure the VNC proxy with TLS by setting the 'cert' and 'key' options in the '[vnc]' section.

- Utilize a tool such as nmap, 'openssl s_client', or an approach like https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers to scan the VNC proxy port for the allowed TLS ciphers and protocols. Here is an few examples of these methods:

$ openssl s_client -ssl3 -connect 192.168.24.26:6080
CONNECTED(00000003)
...snipped for brevity...
---
SSL handshake has read 1816 bytes and written 298 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol : SSLv3
    Cipher : ECDHE-RSA-AES256-SHA
    Session-ID: F81B02A16309AACDF3019EA808A952C97E902D5A1BDA26CB47468B546B33BDC6
    Session-ID-ctx:
    Master-Key: FA2990F148ACBAE3697B3D88E71BFAF7739642D844178C7AE220BC42B5EA67CA5A4ACD79824123C83FC7DAC4D848417C
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1567199209
    Timeout : 7200 (sec)
    Verify return code: 0 (ok)
---
...snipped for brevity...

$ nmap --script +ssl-enum-ciphers -p 6080 192.168.24.26

Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-30 20:47 UTC
Nmap scan report for overcloud-controller-0.ooo.test (192.168.24.26)
Host is up (0.00010s latency).
PORT STATE SERVICE
6080/tcp open unknown
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong

Expected result
===============
Insecure protocols such as SSLv3 and TLS1.0 should not succeed for connections via 'openssl s_client', and insecure ciphers should not be listed, or it should be possible to disable ciphers/protocols such as there for the console proxies.

We utilize websockify underneath our console proxies, which added support for allowed ciphers and protocol versions to be configurable as of version 0.9.0. If we update the websockify version we require, the TLS cipher and protocol settings could be configured in nova.conf to allow thins to be hardened today as well as allowing for crypto-agility in the future. While this would require new (optional) configuration options in nova, I consider this issue to be more of a bug than a feature given that we are forcing people to be using known broken crypto in some cases.

Tags: console
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: nobody → Nathan Kinder (nkinder)
status: New → In Progress
Revision history for this message
melanie witt (melwitt) wrote :

Just wanted to link this old related bug here:

https://bugs.launchpad.net/nova/+bug/1771773

tags: added: console
melanie witt (melwitt)
Changed in nova:
importance: Undecided → Medium
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Nathan Kinder (nkinder) → Stephen Finucane (stephenfinucane)
Matt Riedemann (mriedem)
Changed in nova:
importance: Medium → Wishlist
assignee: Stephen Finucane (stephenfinucane) → Nathan Kinder (nkinder)
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Nathan Kinder (nkinder) → Douglas Mendizábal (dougmendizabal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/679502
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=08bdcdb5b6866c2b6bf084344cca4dd07b960133
Submitter: Zuul
Branch: master

commit 08bdcdb5b6866c2b6bf084344cca4dd07b960133
Author: Nathan Kinder <email address hidden>
Date: Fri Aug 30 12:24:03 2019 -0700

    Allow TLS ciphers/protocols to be configurable for console proxies

    The console proxies (VNC, SPICE, etc) currently don't allow the
    allowed TLS ciphers and protocol versions to be configurable. This
    results in the defaults being used from the underlying system,
    which may not be secure enough for many deployments. This patch
    allows for the ciphers and minimum SSL/TLS protocol version for
    each console proxy to be configured in nova's config.

    We utilize websockify underneath our console proxies, which added
    support for allowed ciphers and the SSL/TLS version to be
    configurable as of version 0.9.0. This change updates the lower
    constraint for this dependency.

    Closes-Bug: #1842149
    Related-Bug: #1771773
    Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/746798

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/746800

Revision history for this message
Xav Paice (xavpaice) wrote :

Given that we cannot backport this to earlier versions due to the requirement for websockify 0.9, can we have another look at https://review.opendev.org/#/c/589992/ and see if that's something we can apply to earlier versions to set a sensible default?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (stable/stein)

Change abandoned by Douglas Mendizábal (<email address hidden>) on branch: stable/stein
Review: https://review.opendev.org/746800

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (stable/train)

Change abandoned by Douglas Mendizábal (<email address hidden>) on branch: stable/train
Review: https://review.opendev.org/746798

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.