StarlingX

  1. Bug #2054813
  2. Comment #7

Comment 7 for bug 2054813

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/912458
Committed: https://opendev.org/starlingx/stx-puppet/commit/075a39e1a2b1e873fdbc3742f6363452431c8717
Submitter: "Zuul (22348)"
Branch: master

commit 075a39e1a2b1e873fdbc3742f6363452431c8717
Author: Karla Felix <email address hidden>
Date: Mon Mar 11 11:16:31 2024 -0300

    Refining rule to remove weak ciphers from lighttpd

    This review will be refining https ciphers rule, for
    lighttpd service on port 8443, to avoid the useof
    ciphers considered weak based on the NIST list.
    The ciphers excluded are the ones that use CBC,
    CAMELLIA, ARIA and 3DES encryption mode, and any
    cipher that uses SHA1.

    The ciphers that will be used by https:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
    - TLS_AES_256_GCM_SHA384 (ecdh_x25519)
    - TLS_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
    - TLS_AES_128_GCM_SHA256 (ecdh_x25519)

    Test Plan:
    PASS: Run build-pkgs -c -p puppet-manifests.
    PASS: Enable https and run nmap to verify if only the
          listed ciphers are returned.
    PASS: Run build-image.
    PASS: Run bootstrap playbook.
    PASS: Unlock controller-0.
    PASS: Enable https and access horizon via browser
          using https.
    PASS: Disable https and access horizon via browser
          using http.

    Closes-Bug: 2054813

    Change-Id: Ib21eb1155540f820a77ee7f7b9203663038ab69b
    Signed-off-by: Karla Felix <email address hidden>