Bug 1553273

Summary: FedRAMP requires cloud providers to use TLS v1.1 as a minimum
Product: Red Hat OpenStack Reporter: Juan Antonio Osorio <josorior>
Component: puppet-tripleoAssignee: RHOS Maint <rhos-maint>
Status: CLOSED ERRATA QA Contact: pkomarov
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: acanan, chjones, dbecker, hrybacki, jjoyce, jschluet, kbasil, mburns, morazi, pkomarov, rhel-osp-director-maint, sclewis, slinaber, tvignaud
Target Milestone: betaKeywords: Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-tripleo-8.3.2-4.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1572353 (view as bug list) Environment:
Last Closed: 2018-06-27 13:35:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1572353, 1572355    

Description Juan Antonio Osorio 2018-03-08 15:35:18 UTC 
Description of problem:
Fedramp [1] recently proposed a requirement [2] for cloud providers to use TLS v1.1 as a minimum. We currently only enforce no SSL v3. So we should fix our configuration to meet this requirement.

[1] https://www.fedramp.gov/

[2] https://www.fedramp.gov/assets/resources/documents/CSP_TLS_Requirements.pdf

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Deploy OSP13
2. log into a controller
3. only no-sslv3 is in the HAProxy configuration


Expected results:
we should be disallowing TLS v1.0
Comment 1 Keith Basil 2018-03-08 15:40:42 UTC 
tl;dr from the FedRAMP recommendations:

TLS is a set of cryptographic protocols that provide communications security over computer networks. NIST Special Publication 800-52, Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, required the use of TLS version 1.1 at a minimum and strongly recommended that “agencies develop migration plans to TLS version 1.2 by January 2015.” The purpose of the NIST requirement to move to TLS 1.1, or higher, is to promote the “consistent use of recommended cipher suites that encompass NIST-approved algorithms” and to protect against known and anticipated attacks on the TLS 1.0 and SSL protocols. 

FedRAMP carefully reviewed the NIST and DHS requirements and determined that each FedRAMPauthorized system must fully implement TLS version 1.1 or higher. These requirements are only applicable to federal customers. However, if a CSP is not fully implementing NIST-compliant TLS for all customers, the CSP must be able to segment federal and non-federal customers prior to authenticating, thus ensuring federal customers use NIST-compliant TLS at all times. This means NIST-compliant TLS must be implemented prior to authenticating both federal and non-federal customers for all customers.
Comment 2 Chris Jones 2018-03-27 14:36:43 UTC 
@keith: for our triaging purposes, could you give an indication of the priority and severity of this?
Comment 3 Chris Jones 2018-04-10 14:38:11 UTC 
This presumably affects more than just HAProxy, since we also have TLS endpoints for Redis, RabbitMQ and Galera, for PIDONE.
Comment 4 Keith Basil 2018-04-10 14:50:45 UTC 
@Chris, it's pretty important. And yes, it's more than just HAProxy.

"FedRAMP-authorized systems must be fully compliant by July 1, 2018."

Our customers building FedRAMP compliant systems on top of OSP will thus be required to comply.
Comment 5 Harry Rybacki 2018-04-26 19:18:11 UTC 
Upstream review has merged: https://review.openstack.org/#/c/552461/

Moving bug to POST
Comment 14 Scott Lewis 2018-04-30 14:59:49 UTC 
This item has been properly Triaged and planned for the OSP13 release, and is being tagged for tracking. For details, see https://url.corp.redhat.com/1851efd
Comment 15 pkomarov 2018-05-03 05:39:57 UTC 
Verified : 

core_puddle_version : 2018-05-01.6

Minimum TLS version is enforced : 

(undercloud) [stack@undercloud-0 ~]$ ansible overcloud -b -mshell -a'rpm -qa|grep puppet-tripleo;grep ssl_version /usr/share/openstack-puppet/modules/tripleo/manifests/stunnel/service_proxy.pp'

compute-1 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-4.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

compute-0 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-4.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

controller-1 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-4.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

controller-0 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-4.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

controller-2 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-4.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'
Comment 17 errata-xmlrpc 2018-06-27 13:35:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086