StarlingX

SSL/TLS advertises the discouraged cipher suites

Bug #2054813 reported by Karla Felix
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Karla Felix

Bug Description

Description of failure
there is an application on listening on 5443
root@controller-0:/var/home/sysadmin# netstat -alpn | grep 5443
tcp6 0 0 :::5443 :::* LISTEN 87951/nginx-ingress

on port 5443, we are seeing the vulnerability as follows

The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined
below:
ECDHE-ECDSA-AES128-SHA 0xC0, 0x09 ECDH ECDSA AES-CBC(128)
SHA1
ECDHE-ECDSA-AES256-SHA 0xC0, 0x0A ECDH ECDSA AES-CBC(256)
SHA1
Port : 5443

so to check this, I simply ran curl command from a different client to port 5443 which initiates a https connection with above vulnerable algos. (ex: ECDHE-ECDSA-AES128-SHA)

curl -I https://x.x.x.x:5443 --ciphers ecdhe_ecdsa_aes_128_sha -k
HTTP/1.1 400 Bad Request
Date: Tue, 28 Nov 2023 11:42:32 GMT

If the above vulnerable algo is not supported by application running on 5443, TLS handshake should have failed.
But I see TLS connection goes through.

Karla Felix (kkarolin)
Changed in starlingx:
assignee: nobody → Karla Felix (kkarolin)
OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/907615
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/72dd981826862e4142441bc7b67fc03f23d011d3
Submitter: "Zuul (22348)"
Branch: master

commit 72dd981826862e4142441bc7b67fc03f23d011d3
Author: Karla Felix <email address hidden>
Date: Fri Feb 2 12:54:08 2024 -0300

    Removing weak ciphers from kube-apiserver

    This commit will remove the support for ciphers considered
    weak based on the NIST list.

    Test Plan:

    PASS: Run build-pkgs -c -p playbookconfig
    PASS: Run build-image
    PASS: Run a fresh install and verify if the cipher-suites are
          present in kube-apiserver.yaml.
    PASS: Run nmap and verify if only listed ciphers are returned.

    Closes-Bug: 2054813

    Change-Id: I0a416ee3975b5659dae050a5e9ed66bdd9b4e6f2
    Signed-off-by: Karla Felix <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.9.0 stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/ansible-playbooks/+/910888

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to containers (master)

Reviewed: https://review.opendev.org/c/starlingx/containers/+/908302
Committed: https://opendev.org/starlingx/containers/commit/f3a9d673a989f031ff9b483a10aac554f4dc0dc3
Submitter: "Zuul (22348)"
Branch: master

commit f3a9d673a989f031ff9b483a10aac554f4dc0dc3
Author: Karla Felix <email address hidden>
Date: Wed Feb 7 09:20:29 2024 -0300

    Removing weak ciphers from registry-token-server

    This review will be removing support of ciphers considered
    weak, based on the NIST list, from registry token
    server.

    Test Plan:

    PASS: Run build-pkgs -c -p registry-token-server.
    PASS: Run build-image.
    PASS: Run a fresh install and verify if the cipher-suites are
          present in the files.
    PASS: Run nmap and verify if only listed ciphers are returned.
    PASS: Run 'registry-image-list' and verify if the output is
          expected.
    PASS: Do 'docker pull <image>' and verify if the command complete
          succesfully.

    Closes-Bug: 2054813

    Change-Id: I3a6a20f5a8a780af13fe279a5eb52e88669c98cf
    Signed-off-by: Karla Felix <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/910888
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/1bb2f41f4567f844e4999e4a3641c91acd6b2ca2
Submitter: "Zuul (22348)"
Branch: master

commit 1bb2f41f4567f844e4999e4a3641c91acd6b2ca2
Author: Karla Felix <email address hidden>
Date: Mon Mar 4 07:23:49 2024 -0300

    Removing weak ciphers from kube-apiserver

    This commit will remove the support for ciphers considered
    weak based on the NIST list.

    All the ciphers are present in kube-apiserver documentation:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_AES_128_GCM_SHA256
    - TLS_AES_256_GCM_SHA384

    Test Plan:

    PASS: Run build-pkgs -c -p playbookconfig
    PASS: Run build-image
    PASS: Run a fresh install and verify if the cipher-suites are
          present in kube-apiserver.yaml.
    PASS: Run nmap and verify if only listed ciphers are returned.
    PASS: Run bootstrap and unlock and verify if k8s is healthy.

    Closes-Bug: 2054813

    Change-Id: Icf61080a3bd981c5c3383834b2cbf10ce424492b
    Signed-off-by: Karla Felix <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config-files (master)

Reviewed: https://review.opendev.org/c/starlingx/config-files/+/909605
Committed: https://opendev.org/starlingx/config-files/commit/6c0909286c2a36397c1e284740cf87666ec51ef0
Submitter: "Zuul (22348)"
Branch: master

commit 6c0909286c2a36397c1e284740cf87666ec51ef0
Author: Karla Felix <email address hidden>
Date: Tue Feb 20 11:47:56 2024 -0300

    Set TLS config for openldap

    This commit is setting a minimum tls version and setting a rule
    to avoid the use of weak cipher by openldap.

    Test Plan:

    PASS: Run build-pkgs -c -p openldap-config
    PASS: Run build-image with the changes for openldap-config present.
    PASS: Run 'nmap --script ssl-enum-ciphers' to the desired port to see
          if it is only using tls1.2 and tls1.3.
    PASS: Create ldap users on system controller with ldapusersetup.
          Verify that user is synchronized to subcloud
          Do ldapfinger <username> on subcloud and verify the user is returned
          ssh with the user in the subcloud. Verify login goes through.
          Run commands with sudo and verify that sudo works without issues
    PASS: Run a full setup of an AIO-SX and verify the status of slapd
          service.

    Closes-Bug: 2054813

    Change-Id: Iabbc5c877256b4f886706cf7601ea26e5ab54d28
    Signed-off-by: Karla Felix <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/912458

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/912458
Committed: https://opendev.org/starlingx/stx-puppet/commit/075a39e1a2b1e873fdbc3742f6363452431c8717
Submitter: "Zuul (22348)"
Branch: master

commit 075a39e1a2b1e873fdbc3742f6363452431c8717
Author: Karla Felix <email address hidden>
Date: Mon Mar 11 11:16:31 2024 -0300

    Refining rule to remove weak ciphers from lighttpd

    This review will be refining https ciphers rule, for
    lighttpd service on port 8443, to avoid the useof
    ciphers considered weak based on the NIST list.
    The ciphers excluded are the ones that use CBC,
    CAMELLIA, ARIA and 3DES encryption mode, and any
    cipher that uses SHA1.

    The ciphers that will be used by https:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
    - TLS_AES_256_GCM_SHA384 (ecdh_x25519)
    - TLS_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
    - TLS_AES_128_GCM_SHA256 (ecdh_x25519)

    Test Plan:
    PASS: Run build-pkgs -c -p puppet-manifests.
    PASS: Enable https and run nmap to verify if only the
          listed ciphers are returned.
    PASS: Run build-image.
    PASS: Run bootstrap playbook.
    PASS: Unlock controller-0.
    PASS: Enable https and access horizon via browser
          using https.
    PASS: Disable https and access horizon via browser
          using http.

    Closes-Bug: 2054813

    Change-Id: Ib21eb1155540f820a77ee7f7b9203663038ab69b
    Signed-off-by: Karla Felix <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config-files (master)

Reviewed: https://review.opendev.org/c/starlingx/config-files/+/912776
Committed: https://opendev.org/starlingx/config-files/commit/6a7e681a1155c3a295eaf2cd197f44321c96aad9
Submitter: "Zuul (22348)"
Branch: master

commit 6a7e681a1155c3a295eaf2cd197f44321c96aad9
Author: Karla Felix <email address hidden>
Date: Wed Mar 13 10:47:37 2024 -0300

    Fix syntax for removing SHA1 ciphers in slapd

    This review will be fixing the syntax that is missing, from SHA to
    SHA1.

    Test Plan:
    PASS: Run fresh install of AIO-SX and verify if it unlocks the
          the controller-0 with no issues.

    Closes-Bug: 2054813

    Change-Id: Id7e1978e42e4c0d560d9fe5fdaf034d79f865b0a
    Signed-off-by: Karla Felix <email address hidden>

Ghada Khalil (gkhalil)
tags: added: stx.10.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.