Secure TLS configuration by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ceph RADOS Gateway Charm |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Ceilometer Charm |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Cinder Charm |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Dashboard Charm |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Glance Charm |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Heat Charm |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Keystone Charm |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Neutron API Charm |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Nova Cloud Controller Charm |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Octavia Charm |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack RabbitMQ Server Charm |
Fix Released
|
Medium
|
Unassigned | ||
OpenStack Swift Proxy Charm |
Fix Released
|
Undecided
|
Unassigned | ||
charm-layer-ovn |
Invalid
|
Undecided
|
Unassigned | ||
charm-ovn-central |
Invalid
|
Undecided
|
Unassigned | ||
openvswitch (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
From the discussion on bug 1851673, I am opening this bug to track modernisation of TLS configuration across all OpenStack charms.
It is important that the charms are providing opinionated, good practice defaults - we need to ensure TLS1.0 and TLS1.1 are removed from the supported ciphers as they are widely held to be deprecated and insecure. The current industry practice of disabling these TLS versions is described in the linked IETF draft: "Industry has actively followed guidance provided by NIST and the PCI Council to deprecate TLSv1.0 and TLSv1.1 by June 30, 2018. TLSv1.2 should remain a minimum baseline for TLS support at this time." [0]
In addition, we should downselect a good practice set of ciphers from the cross-section of ciphers with good client (browser, API client) support, and ciphers which follow current good cryptographic practice.
A good baseline for this comes from the Apache project documentation [1] which in turn is based on Mozilla's security guidance around server-side TLS Ciphers [2].
The below can be used to represent Mozilla's "intermediate" compatibility cipher suite, which enables TLS1.2 and TLS1.3. TLS1.2 is also important as I don't believe all shipped versions of apache2 with supported Ubuntu releases support TLS1.3 yet.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
Users requiring insecure (or stronger!) cipher suites and versions would be able to customise them once 1851673 has been addressed, but until then, it would be simpler to give guidance around cipher support. For folks who need less secure configuration, we could simply give guidance around which specific charm releases support which TLS configurations. In my mind, having some users on older charm releases is better than blocking implementation of a more secure cipher suite on being able to customise the TLS configuration via charm settings.
[0] https:/
[1] https:/
[2] https:/
Changed in charm-openstack-dashboard: | |
milestone: | none → 20.10 |
Changed in charm-nova-cloud-controller: | |
milestone: | none → 20.10 |
Changed in charm-neutron-api: | |
milestone: | none → 20.10 |
Changed in charm-keystone: | |
milestone: | none → 20.10 |
Changed in charm-heat: | |
milestone: | none → 20.10 |
Changed in charm-glance: | |
milestone: | none → 20.10 |
Changed in charm-cinder: | |
milestone: | none → 20.10 |
Changed in charm-ceph-radosgw: | |
milestone: | none → 20.10 |
Changed in charm-ceilometer: | |
milestone: | none → 20.10 |
Changed in charm-octavia: | |
milestone: | none → 20.10 |
Changed in charm-rabbitmq-server: | |
importance: | Undecided → Medium |
status: | New → Triaged |
milestone: | none → 22.04 |
Changed in charm-rabbitmq-server: | |
status: | Fix Committed → Fix Released |
Changed in openvswitch (Ubuntu): | |
status: | In Progress → Invalid |
Subscribing field high as this has become a security issue without a good workaround.