tripleo

Fedramp requires cloud providers to use TLS v1.1 as a minimum

Bug #1754368 reported by Juan Antonio Osorio Robles
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Juan Antonio Osorio Robles
tripleo rocky-1

Bug Description

Fedramp [1] recently proposed a requirement [2] for cloud providers to use TLS v1.1 as a minimum. We currently only enforce no SSL v3. So we should fix our configuration to meet this requirement.

[1] https://www.fedramp.gov/

[2] https://www.fedramp.gov/assets/resources/documents/CSP_TLS_Requirements.pdf

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/550872

Emilien Macchi (emilienm)
Changed in tripleo:
milestone: none → rocky-1
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/550872
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=ebde918b0f0cea8715a30f57ca7c2683dd477c50
Submitter: Zuul
Branch: master

commit ebde918b0f0cea8715a30f57ca7c2683dd477c50
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Mar 8 17:28:27 2018 +0200

    Disallow TLS v1.0 from HAProxy

    This forces HAProxy to only accept newer versions of TLS, which allows
    us to meet FedRAMP requirements.

    Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439
    Related-Bug: #1754368

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/552461

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/552461
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=fb7a34ba888aa6aa59bbf68fc898b7c8f99f4a42
Submitter: Zuul
Branch: stable/queens

commit fb7a34ba888aa6aa59bbf68fc898b7c8f99f4a42
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Mar 8 17:28:27 2018 +0200

    Disallow TLS v1.0 from HAProxy

    This forces HAProxy to only accept newer versions of TLS, which allows
    us to meet FedRAMP requirements.

    Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439
    Related-Bug: #1754368
    (cherry picked from commit ebde918b0f0cea8715a30f57ca7c2683dd477c50)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/pike)

Related fix proposed to branch: stable/pike
Review: https://review.openstack.org/553339

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/ocata)

Related fix proposed to branch: stable/ocata
Review: https://review.openstack.org/553341

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/pike)

Reviewed: https://review.openstack.org/553339
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=2df761b58ee7820f150d4e622d1925fb70f6f051
Submitter: Zuul
Branch: stable/pike

commit 2df761b58ee7820f150d4e622d1925fb70f6f051
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Mar 8 17:28:27 2018 +0200

    Disallow TLS v1.0 from HAProxy

    This forces HAProxy to only accept newer versions of TLS, which allows
    us to meet FedRAMP requirements.

    Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439
    Related-Bug: #1754368
    (cherry picked from commit ebde918b0f0cea8715a30f57ca7c2683dd477c50)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/ocata)

Reviewed: https://review.openstack.org/553341
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=30c7009ce6e8f2e1bef836b61f33c9098978a1d1
Submitter: Zuul
Branch: stable/ocata

commit 30c7009ce6e8f2e1bef836b61f33c9098978a1d1
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Mar 8 17:28:27 2018 +0200

    Disallow TLS v1.0 from HAProxy

    This forces HAProxy to only accept newer versions of TLS, which allows
    us to meet FedRAMP requirements.

    Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439
    Related-Bug: #1754368
    (cherry picked from commit ebde918b0f0cea8715a30f57ca7c2683dd477c50)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/newton)

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/554422

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/newton)

Reviewed: https://review.openstack.org/554422
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=b83cc42da9b037bbbd1461f559a53e1d3258743b
Submitter: Zuul
Branch: stable/newton

commit b83cc42da9b037bbbd1461f559a53e1d3258743b
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Mar 8 17:28:27 2018 +0200

    Disallow TLS v1.0 from HAProxy

    This forces HAProxy to only accept newer versions of TLS, which allows
    us to meet FedRAMP requirements.

    Conflicts:
          manifests/haproxy.pp

    Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439
    Related-Bug: #1754368
    (cherry picked from commit ebde918b0f0cea8715a30f57ca7c2683dd477c50)

tags: added: in-stable-newton
Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in tripleo:
status: New → Fix Released
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/560086

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/562509

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/562512
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=a5561f0a1d48ff3364f6e1785000dd454bd57057
Submitter: Zuul
Branch: master

commit a5561f0a1d48ff3364f6e1785000dd454bd57057
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Apr 19 07:53:01 2018 +0000

    Force stunnel to use TLSv1.2

    This allows us to force a TLS version for stunnel, which we
    set to TLSv1.2. This ensures that we're compliant with FedRamp,
    which requires a minimum version of TLSv1.1.

    Unfortunately, using the "option" key didn't work in the configuration
    as was tried in a previous commit. This option would have only only
    disabled the versions we set, instead of only allowing one, like
    "sslVersions" does. This seems to be the only alternative we have at
    the moment.

    Related-Bug: #1754368
    Change-Id: I353f893ee5dcc265269704e23f65aa0460724078

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/562960

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/pike)

Related fix proposed to branch: stable/pike
Review: https://review.openstack.org/562961

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (stable/pike)

Change abandoned by Juan Antonio Osorio Robles (<email address hidden>) on branch: stable/pike
Review: https://review.openstack.org/562961

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/562509
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1b54e4b5a72446cd92042485a48cb82cc451a475
Submitter: Zuul
Branch: master

commit 1b54e4b5a72446cd92042485a48cb82cc451a475
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Apr 19 09:51:20 2018 +0300

    Disallow SSLv2, SSLv3 and TLS1.0 in httpd for FedRAMP compliance.

    We now enforce TLS1.1 or higher for httpd connections, to meet the
    requirements for FedRAMP.

    Change-Id: If875822f1cb705d17405621e64fea2536edc142a
    Related-Bug: #1754368

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/563136

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/562960
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=5b8e3e121b3f6cdfcc3c95fdc06ab41384b55a2c
Submitter: Zuul
Branch: stable/queens

commit 5b8e3e121b3f6cdfcc3c95fdc06ab41384b55a2c
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Apr 19 07:53:01 2018 +0000

    Force stunnel to use TLSv1.2

    This allows us to force a TLS version for stunnel, which we
    set to TLSv1.2. This ensures that we're compliant with FedRamp,
    which requires a minimum version of TLSv1.1.

    Unfortunately, using the "option" key didn't work in the configuration
    as was tried in a previous commit. This option would have only only
    disabled the versions we set, instead of only allowing one, like
    "sslVersions" does. This seems to be the only alternative we have at
    the moment.

    Related-Bug: #1754368
    Change-Id: I353f893ee5dcc265269704e23f65aa0460724078
    (cherry picked from commit a5561f0a1d48ff3364f6e1785000dd454bd57057)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/pike)

Reviewed: https://review.openstack.org/562961
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=c94340b812c6d4de21793b69edccdcf4796f69a6
Submitter: Zuul
Branch: stable/pike

commit c94340b812c6d4de21793b69edccdcf4796f69a6
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Apr 19 07:53:01 2018 +0000

    Force stunnel to use TLSv1.2

    This allows us to force a TLS version for stunnel, which we
    set to TLSv1.2. This ensures that we're compliant with FedRamp,
    which requires a minimum version of TLSv1.1.

    Unfortunately, using the "option" key didn't work in the configuration
    as was tried in a previous commit. This option would have only only
    disabled the versions we set, instead of only allowing one, like
    "sslVersions" does. This seems to be the only alternative we have at
    the moment.

    Related-Bug: #1754368
    Change-Id: I353f893ee5dcc265269704e23f65aa0460724078
    (cherry picked from commit a5561f0a1d48ff3364f6e1785000dd454bd57057)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.openstack.org/563136
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=17be56bc19014e579418a52fa9aee38a39c17c33
Submitter: Zuul
Branch: stable/queens

commit 17be56bc19014e579418a52fa9aee38a39c17c33
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Apr 19 09:51:20 2018 +0300

    Disallow SSLv2, SSLv3 and TLS1.0 in httpd for FedRAMP compliance.

    We now enforce TLS1.1 or higher for httpd connections, to meet the
    requirements for FedRAMP.

    Change-Id: If875822f1cb705d17405621e64fea2536edc142a
    Related-Bug: #1754368
    (cherry picked from commit 1b54e4b5a72446cd92042485a48cb82cc451a475)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/566509

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/566509
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=d00d6d1c0dfe882280a7cc94eb219d54be5e5ef3
Submitter: Zuul
Branch: stable/queens

commit d00d6d1c0dfe882280a7cc94eb219d54be5e5ef3
Author: Damien Ciabrini <email address hidden>
Date: Fri Apr 27 12:37:07 2018 -0400

    Disallow SSLv2, SSLv3 and TLS1.0 in mysql for FedRAMP compliance

    We cannot disable a specific protocol when using SSL in mysql, so in order to
    enforce TLS1.1 or greater, we disallow all ciphers provided by SSLv2 SSLv3 and
    TLS1.0.

    Galera group communication cannot be configured with a list of available
    ciphers, so configure gcomm to use AES128-SHA256, which seems to be the closest
    from the default AES128-SHA.

    Inherit the cipher list settings for the rsync SST.

    Related-Bug: #1754368

    Change-Id: Ib3625020e60665f91b9009e7f06b9b25a6970a9b
    (cherry picked from commit 1c46f6e1cd6fbaee688e153422a951acfbdaf4f6)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (master)

Change abandoned by Alex Schultz (<email address hidden>) on branch: master
Review: https://review.opendev.org/560086
Reason: I353f893ee5dcc265269704e23f65aa0460724078 implemented something like this already

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.