OpenStack-Ansible

keystone httpd conf security hardening

Bug #1437481 reported by Ian Cordasco
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Undecided
Ian Cordasco

Bug Description

Following on the heels of https://tools.ietf.org/html/rfc7465 (admittedly more than a month after it was published) we should remove RC4 from our cipher suite in keystone httpd. Further, we should probably use the cipher string that is maintained by Hynek Schwalack here: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/.

Beyond that, we should consider removing support for SSLv3 as well. I doubt keystone will be speaking with any Internet Explorer browsers or with a system that does not support at least TLSv1.

Ian Cordasco (icordasc)
Changed in openstack-ansible:
assignee: nobody → Ian Cordasco (icordasc)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (master)

Fix proposed to branch: master
Review: https://review.openstack.org/168523

Changed in openstack-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to os-ansible-deployment (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/171838

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/168523
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=56e7fb66611516bd719fe882bacf2b4b1aa45cb5
Submitter: Jenkins
Branch: master

commit 56e7fb66611516bd719fe882bacf2b4b1aa45cb5
Author: Ian Cordasco <email address hidden>
Date: Fri Mar 27 16:51:23 2015 -0500

    Harden Keystone's Apache config

    Previously the keystone-httpd.conf was only blacklisting SSLv2 and was
    allowing suboptimal (and in some cases, prohibited) cipher suites (e.g.,
    RC4).

    Change-Id: I4456bc1a0056da051947977a26dd6d57c549e421
    Closes-bug: 1437481

Changed in openstack-ansible:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/171838
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=f2c5ffe7b192b547f54b5da7f55b4be16890360a
Submitter: Jenkins
Branch: master

commit f2c5ffe7b192b547f54b5da7f55b4be16890360a
Author: Ian Cordasco <email address hidden>
Date: Wed Apr 8 17:12:37 2015 -0500

    Genericize how we update SSL settings for Apache

    In I4456bc1a0056da051947977a26dd6d57c549e421 we hardened Keystone's
    Apache SSL settings. In order to keep all Apache SSL settings uniformly
    configured, we also need to update Horizon's settings and centralize
    where we define the cipher suite that the server supports and the
    preferred protocol versions.

    We also explicitly disable SSLCompression even though we tend to only
    test against versions of Apache that have this off by default. If
    someone uses a version after 2.2.24 or uses 2.4.3, they would otherwise
    have to explicitly turn this off. Preferring security by default, we
    disable it explicitly to prevent insecure installations anywhere.

    We also document how users can override specific service SSL settings in
    the event one service needs to support older clients that require
    certain protocols or ciphers. For example, it's very plausible that an
    organization may need to enable RC4 and SSLv3 for Horizon since their
    users are still using XP and an old version of Internet Explorer.

    Related-Bug: 1437481
    Change-Id: I85843452935710083253847d6e11f85e9d6d2e84

Kevin Carter (kevin-carter)
Changed in openstack-ansible:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.