| 2022-10-28 09:08:15 |
Nobuto Murata |
description |
maas: 1:3.2.6-12016-g.19812b4da-0ubuntu1~20.04.1
After enabling TLS in MAAS[1], MAAS sets Strict-Transport-Security 'max-age=86400'.
[1] https://maas.io/docs/how-to-enable-tls-encryption
There are two issues here:
1. HSTS is forced, which prevents testing of TLS setup and cert/key by enabling and disabling TLS in MAAS.
MAAS offers a way to enable and disable TLS respectively:
$ maas config-tls -h
...
COMMAND
enable Enable TLS and switch to a secured mode (https).
disable Disable TLS and switch to a non-secured mode (http).
However, disabling doesn't work as expected since the clients will remember to upgrade the connection to HTTPS always because of HSTS so they cannot connect to MAAS with HTTP.
So would be nice to add "--enable-hsts" or something to the API so one can test TLS without HSTS first. Once the testing done, they can enable HSTS after that explicitly with confidence.
$ maas config-tls enable -h
(...)
-h, --help show this help message and exit
--cacert CACERT path to CA certificates chain in PEM format (default: None)
-p PORT, --port PORT HTTPS port (default: 5443)
--yes Skip interactive confirmation (default: False)
2. The value for HSTS is too short.
The recommendation of the value is >= 6 months. And a security scanner is complaining about the value.
Strict Transport Security 86400 s = 1 days is too short ( >= 15552000 seconds recommended), includeSubDomains
Grade cap reasons Grade capped to A. HSTS max-age is too short |
maas: 1:3.2.6-12016-g.19812b4da-0ubuntu1~20.04.1
After enabling TLS in MAAS[1], MAAS sets Strict-Transport-Security 'max-age=86400'.
[1] https://maas.io/docs/how-to-enable-tls-encryption
There are two issues here:
1. HSTS is forced, which prevents testing of TLS setup and cert/key by enabling and disabling TLS in MAAS.
MAAS offers a way to enable and disable TLS respectively:
$ maas config-tls -h
...
COMMAND
enable Enable TLS and switch to a secured mode (https).
disable Disable TLS and switch to a non-secured mode (http).
However, disabling doesn't work as expected since the clients will remember to upgrade the connection to HTTPS always because of HSTS so they cannot connect to MAAS with HTTP.
So would be nice to add "--enable-hsts" or something to the API so one can test TLS without HSTS first. Once the testing done, they can enable HSTS after that explicitly with confidence.
$ maas config-tls enable -h
(...)
-h, --help show this help message and exit
--cacert CACERT path to CA certificates chain in PEM format (default: None)
-p PORT, --port PORT HTTPS port (default: 5443)
--yes Skip interactive confirmation (default: False)
2. The value for HSTS is too short.
The recommendation of the value is >= 6 months. And a security scanner is complaining about the value.
Strict Transport Security 86400 s = 1 days is too short ( >= 15552000 seconds recommended), includeSubDomains
Grade cap reasons Grade capped to A. HSTS max-age is too short
https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1f&guideline=5.6
> max-age=63072000 |
|
