StarlingX

TLS 1.0 and Weak cipher suites enabled on ports 9001 & 9002 & 6443

Bug #2043217 reported by Karla Felix on 2023-11-10

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Karla Felix

Bug Description

Description of failure
The team has concerns with SSL and TLS 1.0 in Starlingx. TLS 1.0 is still supported on ports 9001 & 9002. Also, ports 6443 and 9002 support weak cipher suites. Please see the list attached. Document shows TLS 1.3 is already supported.

Issue intermittent (Frequency of occurrence) or 100% Reproducible?
Issue seen on environment

Impact of Failure
Medium - security concern

See original description

Tags:

OpenStack Infra (hudson-openstack) on 2023-11-10

Changed in starlingx:
status:	New → In Progress

Karla Felix (kkarolin) on 2023-11-13

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-11-14: Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/899984
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/ae20ef5fd27d2dc4371443c00e795b2bf9417650
Submitter: "Zuul (22348)"
Branch: master

commit ae20ef5fd27d2dc4371443c00e795b2bf9417650
Author: Karla Felix <email address hidden>
Date: Thu Nov 2 16:51:23 2023 -0300

Add var for minimum tls version and cipher suites

    This commit will add variables to minimum tls version and the
    allowed specific cipher suites in the bootstrap playbook. This
    variables will be added to
    /etc/kubernetes/manifests/kube-apiserver.yaml.

    The yamline disable-line is used because during the parse to
    kube-apiserver.yaml the string could not have any blank spaces
    or kubelet service will not start.

Test Plan:

    PASS: Run build-image.
    PASS: Run build-pkgs -c -p playbookconfig.
    PASS: Verify if the flags "--tls-min-version" and
          "tls-cipher-suites" are present in
          /etc/kubernetes/manifests/kube-apiserver.yaml.
    PASS: Verify if port 6443 is blocking tls version 1.0,
          1.1 and weak cipher suites.

Closes-Bug: 2043217

Change-Id: I2af86387dc14ec89f9c3d652dfc4983c8fc06e5c
Signed-off-by: Karla Felix <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2023-11-14

tags:	added: stx.9.0 stx.security
information type:	Public → Public Security
Changed in starlingx:
importance:	Undecided → Medium
description:	updated
Changed in starlingx:
status:	Fix Released → In Progress
assignee:	nobody → Karla Felix (kkarolin)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-11-15: Fix merged to containers (master)

Reviewed: https://review.opendev.org/c/starlingx/containers/+/898684
Committed: https://opendev.org/starlingx/containers/commit/7fb4b3d04a6ad19bfc2af98a0c44fda0a9410989
Submitter: "Zuul (22348)"
Branch: master

commit 7fb4b3d04a6ad19bfc2af98a0c44fda0a9410989
Author: Karla Felix <email address hidden>
Date: Tue Oct 17 19:01:23 2023 -0300

Upgrade docker-distribution to v2.8.2

    This review will upgrade docker distribution to v2.8.2 that allow
    the use of 'mintlsversion' to block the use of TLS1.0, 1.1 and
    weak ciphers.

    This review is also adding a server to the token auth,
    that allow us to add custom configurations, as such the
    tlsConfig, that is needed to block tls1.0, tls1.1 and
    weak ciphers.

Test Plan:

    PASS: Run build-image.
    PASS: Run build-pkgs -c -p registry-token-server.
    PASS: Verify if ports 9001 and 9002 are blocking tls1.0, 1.1 and
          weak ciphers.

Closes-Bug: 2043217

Change-Id: Ibd7a2d7db68ed40d180724909ec505041ea23ff7
Signed-off-by: Karla Felix <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-11-16: Fix merged to integ (master)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/898786
Committed: https://opendev.org/starlingx/integ/commit/c007315764afcb9a7fb162b79671d32436ce22ea
Submitter: "Zuul (22348)"
Branch: master

commit c007315764afcb9a7fb162b79671d32436ce22ea
Author: Karla Felix <email address hidden>
Date: Wed Oct 18 21:51:11 2023 -0300

Upversion docker-distribution to v2.8.2+ds1-1

Upversioning docker-distribution to v2.8.2+ds1-1 to be able to block
TLS1.0, TLS1.1 in registry-distribution.

Test Plan:

    PASS: $downloader.
    PASS: $build-pkgs docker-distribution --clean.
    PASS: $build-image.
    PASS: List docker-distribution package installed with apt list |
          grep docker.
    PASS: Verify if ports 9001 and 9002 are blocking tls1.0, 1.1 and
          1.2 with nmap.

Closes-Bug: 2043217

Change-Id: Id0fc5f8794af54fc4b87b9cab6cec8b454775410
Signed-off-by: Karla Felix <email address hidden>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-11-16: Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/898323
Committed: https://opendev.org/starlingx/stx-puppet/commit/2fd27d677966ed8ae4c41661b322059b30748caf
Submitter: "Zuul (22348)"
Branch: master

commit 2fd27d677966ed8ae4c41661b322059b30748caf
Author: Karla Felix <email address hidden>
Date: Mon Oct 16 11:27:49 2023 -0300

Add "minimumtls" flag to docker distribution

Add flag "minimumtls" with value tls1.2 in dockerdistribution.conf.erb
to block tls 1.0 and 1.1.

Test Plan:

    PASS: Run build-image.
    PASS: Run build-pkgs -c -p puppet-manifests.
    PASS: Test port 9001 with: "nmap --script ssl-enum-ciphers -p 10620
          localhost -Pn" and verify if the port allow only tls1.2 and
          above.
    PASS: Verify if the "minimumtls" flag is present in
          /etc/docker-distribution/registry/config.yml
    PASS: Push images to local registry.
    PASS: Pull images from local registry.
    PASS: Run system registry-image-list.
    PASS: Run system registry-image-list --filter-out-untagged.
    PASS: Run system registry-image-tag <image_name>
    PASS: Run system registry-image-delete <image:tag>

Closes-Bug: 2043217
Depends-On: https://review.opendev.org/c/starlingx/integ/+/898786

Signed-off-by: Karla Felix <email address hidden>
Change-Id: I1f917b6f73fceb6ddb3874f20987ce381f942fe0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-11-16: Fix merged to containers (master)

Reviewed: https://review.opendev.org/c/starlingx/containers/+/901172
Committed: https://opendev.org/starlingx/containers/commit/79b9b044b05e5b3dbc24ad8b46d6e79a499e03a2
Submitter: "Zuul (22348)"
Branch: master

commit 79b9b044b05e5b3dbc24ad8b46d6e79a499e03a2
Author: Karla Felix <email address hidden>
Date: Thu Nov 16 12:23:21 2023 -0300

Fix syntax errors for registry-token-server

Fix syntax erros for main.go to fix syntax build errors for package
registry-token-server.

Test Plan:

PASS: Run build-pkgs -c -p registry-token-server

Closes-Bug: 2043217
Closes-Bug: 2043697

Change-Id: I8217b6d58572730811f64c2e92af5d3e4ec69819
Signed-off-by: Karla Felix <email address hidden>

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.