OpenStack Security Guide Documentation

Annual Cipher Validation - Introduction to TLS and SSL in Security Guide

Bug #1619485 reported by N Dillon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Guide Documentation
Fix Released
Medium
Vinay Potluri

Bug Description

Do we want to continue the recommendations below for the time being?

"When you are using TLS 1.2 and control both the clients and the server, the cipher suite should be limited to ECDHE-ECDSA-AES256-GCM-SHA384. In circumstances where you do not control both endpoints and are using TLS 1.1 or 1.2 the more general HIGH:!aNULL:!eNULL:!DES:!3DES:!SSLv3:!TLSv1:!CAMELLIA is a reasonable cipher selection."
-----------------------------------
Release: 0.0.1 on 2016-08-31 01:41
SHA: d029b6f283e5e2d276738284ce15a1af5beef26d
Source: http://git.openstack.org/cgit/openstack/security-doc/tree/security-guide/source/secure-communication/introduction-to-ssl-and-tls.rst
URL: http://docs.openstack.org/security-guide/secure-communication/introduction-to-ssl-and-tls.html

Tags: sec-guide
N Dillon (sicarie)
Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Doug Chivers (doug-chivers)
Ian Cordasco (icordasc)
affects: openstack-manuals → ossp-security-documentation
Revision history for this message
Rahul U Nair (rahulunair) wrote :

Hey Doug, Are you still working on this?, if not I can take this up.

Vinay Potluri (vinay-potluri)
Changed in ossp-security-documentation:
assignee: Doug Chivers (doug-chivers) → Vinay Potluri (vinay-potluri)
Revision history for this message
Vinay Potluri (vinay-potluri) wrote :

I feel the current recommendation still holds good for secure communication over public and internal networks. Cipher suite ECDHE-ECDSA-AES256-GCM-SHA384 provides high security when controlling client and server. Cipher suite HIGH:!aNULL:!eNULL:!DES:!3DES:!SSLv3:!TLSv1:!CAMELLIA still provides high level of security between endpoints. Therefore the current recommendation not be changed.

All the details have been drafted here https://gist.github.com/vinaypotluri/6ea068e1073fd51267f2052a85479067

Hence the bug will be closed.

Changed in ossp-security-documentation:
status: Confirmed → Fix Released
Revision history for this message
Vinay Potluri (vinay-potluri) wrote :

Discussion about the bug can be found in the IRC meeting conversation

http://eavesdrop.openstack.org/meetings/security_project_meeting/2017/security_project_meeting.2017-03-16-17.02.log.html
http://eavesdrop.openstack.org/meetings/security_project_meeting/2017/security_project_meeting.2017-03-16-17.02.html

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.