MAAS

MAAS TLS sets HSTS forcibly and with too short value

Bug #1995084 reported by Nobuto Murata on 2022-10-28

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	High	Alberto Donato	MAAS 3.4.0-beta1
	MAAS documentation	New	Undecided	Unassigned

Bug Description

maas: 1:3.2.6-12016-g.19812b4da-0ubuntu1~20.04.1

After enabling TLS in MAAS[1], MAAS sets Strict-Transport-Security 'max-age=86400'.

[1] https://maas.io/docs/how-to-enable-tls-encryption

There are two issues here:

1. HSTS is forced, which prevents testing of TLS setup and cert/key by enabling and disabling TLS in MAAS.

MAAS offers a way to enable and disable TLS respectively:

$ maas config-tls -h
...
  COMMAND
    enable Enable TLS and switch to a secured mode (https).
    disable Disable TLS and switch to a non-secured mode (http).

However, disabling doesn't work as expected since the clients will remember to upgrade the connection to HTTPS always because of HSTS so they cannot connect to MAAS with HTTP.

So would be nice to add "--enable-hsts" or something to the API so one can test TLS without HSTS first. Once the testing done, they can enable HSTS after that explicitly with confidence.

$ maas config-tls enable -h
(...)
  -h, --help show this help message and exit
  --cacert CACERT path to CA certificates chain in PEM format (default: None)
  -p PORT, --port PORT HTTPS port (default: 5443)
  --yes Skip interactive confirmation (default: False)

2. The value for HSTS is too short.

The recommendation of the value is >= 6 months. And a security scanner is complaining about the value.

Strict Transport Security 86400 s = 1 days is too short ( >= 15552000 seconds recommended), includeSubDomains
Grade cap reasons Grade capped to A. HSTS max-age is too short

https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1f&guideline=5.6
> max-age=63072000

See original description

Related branches

~ack/maas:1995084-bump-hsts-max-age

Merged into maas:master

Anton Troyanov: Approve on 2023-04-21

MAAS Lander: Approve on 2023-04-21

Nobuto Murata (nobuto) on 2022-10-28

description:

updated

Revision history for this message

Björn Tillenius (bjornt) wrote on 2022-10-28:

HSTS should be optional and the max-age should be configurable with a sane default.

Changed in maas:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → 3.4.0

Revision history for this message

Jerzy Husakowski (jhusakowski) wrote on 2023-04-20:

We can set the HSTS timeout to the recommended 6 months. Disabling TLS for testing purposes may require removing HSTS settings from the browser or testing in incognito mode.

Alberto Donato (ack) on 2023-04-21

Changed in maas:
assignee:	nobody → Alberto Donato (ack)
status:	Triaged → In Progress

MAAS Lander (maas-lander) on 2023-04-21

Changed in maas:
status:	In Progress → Fix Committed

Alberto Donato (ack) on 2023-04-27

Changed in maas:
milestone:	3.4.0 → 3.4.0-beta1

Alberto Donato (ack) on 2023-05-16

Changed in maas:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.