|Summary:||FedRAMP requires cloud providers to use TLS v1.1 as a minimum|
|Product:||Red Hat OpenStack||Reporter:||Juan Antonio Osorio <josorior>|
|Component:||puppet-tripleo||Assignee:||RHOS Maint <rhos-maint>|
|Status:||CLOSED ERRATA||QA Contact:||pkomarov|
|Version:||13.0 (Queens)||CC:||acanan, chjones, dbecker, hrybacki, jjoyce, jschluet, kbasil, mburns, morazi, pkomarov, rhel-osp-director-maint, sclewis, slinaber, tvignaud|
|Target Release:||13.0 (Queens)|
|Fixed In Version:||puppet-tripleo-8.3.2-4.el7ost||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|:||1572353 (view as bug list)||Environment:|
|Last Closed:||2018-06-27 13:35:14 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
|Bug Blocks:||1572353, 1572355|
Description Juan Antonio Osorio 2018-03-08 15:35:18 UTC
Description of problem: Fedramp  recently proposed a requirement  for cloud providers to use TLS v1.1 as a minimum. We currently only enforce no SSL v3. So we should fix our configuration to meet this requirement.  https://www.fedramp.gov/  https://www.fedramp.gov/assets/resources/documents/CSP_TLS_Requirements.pdf Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Deploy OSP13 2. log into a controller 3. only no-sslv3 is in the HAProxy configuration Expected results: we should be disallowing TLS v1.0
Comment 1 Keith Basil 2018-03-08 15:40:42 UTC
tl;dr from the FedRAMP recommendations: TLS is a set of cryptographic protocols that provide communications security over computer networks. NIST Special Publication 800-52, Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, required the use of TLS version 1.1 at a minimum and strongly recommended that “agencies develop migration plans to TLS version 1.2 by January 2015.” The purpose of the NIST requirement to move to TLS 1.1, or higher, is to promote the “consistent use of recommended cipher suites that encompass NIST-approved algorithms” and to protect against known and anticipated attacks on the TLS 1.0 and SSL protocols. FedRAMP carefully reviewed the NIST and DHS requirements and determined that each FedRAMPauthorized system must fully implement TLS version 1.1 or higher. These requirements are only applicable to federal customers. However, if a CSP is not fully implementing NIST-compliant TLS for all customers, the CSP must be able to segment federal and non-federal customers prior to authenticating, thus ensuring federal customers use NIST-compliant TLS at all times. This means NIST-compliant TLS must be implemented prior to authenticating both federal and non-federal customers for all customers.
Comment 2 Chris Jones 2018-03-27 14:36:43 UTC
@keith: for our triaging purposes, could you give an indication of the priority and severity of this?
Comment 3 Chris Jones 2018-04-10 14:38:11 UTC
This presumably affects more than just HAProxy, since we also have TLS endpoints for Redis, RabbitMQ and Galera, for PIDONE.
Comment 4 Keith Basil 2018-04-10 14:50:45 UTC
@Chris, it's pretty important. And yes, it's more than just HAProxy. "FedRAMP-authorized systems must be fully compliant by July 1, 2018." Our customers building FedRAMP compliant systems on top of OSP will thus be required to comply.
Comment 5 Harry Rybacki 2018-04-26 19:18:11 UTC
Upstream review has merged: https://review.openstack.org/#/c/552461/ Moving bug to POST
Comment 14 Scott Lewis 2018-04-30 14:59:49 UTC
This item has been properly Triaged and planned for the OSP13 release, and is being tagged for tracking. For details, see https://url.corp.redhat.com/1851efd
Comment 15 pkomarov 2018-05-03 05:39:57 UTC
Verified : core_puddle_version : 2018-05-01.6 Minimum TLS version is enforced : (undercloud) [stack@undercloud-0 ~]$ ansible overcloud -b -mshell -a'rpm -qa|grep puppet-tripleo;grep ssl_version /usr/share/openstack-puppet/modules/tripleo/manifests/stunnel/service_proxy.pp' compute-1 | SUCCESS | rc=0 >> puppet-tripleo-8.3.2-4.el7ost.noarch # [*ssl_version*] $ssl_version = 'TLSv1.2' compute-0 | SUCCESS | rc=0 >> puppet-tripleo-8.3.2-4.el7ost.noarch # [*ssl_version*] $ssl_version = 'TLSv1.2' controller-1 | SUCCESS | rc=0 >> puppet-tripleo-8.3.2-4.el7ost.noarch # [*ssl_version*] $ssl_version = 'TLSv1.2' controller-0 | SUCCESS | rc=0 >> puppet-tripleo-8.3.2-4.el7ost.noarch # [*ssl_version*] $ssl_version = 'TLSv1.2' controller-2 | SUCCESS | rc=0 >> puppet-tripleo-8.3.2-4.el7ost.noarch # [*ssl_version*] $ssl_version = 'TLSv1.2'
Comment 17 errata-xmlrpc 2018-06-27 13:35:14 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086