Bug 1572355

Summary: FedRAMP requires cloud providers to use TLS v1.1 as a minimum
Product: Red Hat OpenStack Reporter: Harry Rybacki <hrybacki>
Component: puppet-tripleoAssignee: RHOS Maint <rhos-maint>
Status: CLOSED ERRATA QA Contact: pkomarov
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: aschultz, augol, chjones, dbecker, hrybacki, jjoyce, josorior, jschluet, kbasil, mburns, morazi, nlevinki, pkomarov, rhel-osp-director-maint, rhos-maint, slinaber, tvignaud
Target Milestone: asyncKeywords: TestOnly, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-tripleo-5.6.8-4.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1572353 Environment:
Last Closed: 2018-06-27 23:30:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1553273, 1572353    
Bug Blocks:    

Comment 1 Harry Rybacki 2018-04-26 19:28:18 UTC 
Upstream patch merged: https://review.openstack.org/#/c/554422/

Moving bug to POST
Comment 2 Lon Hohberger 2018-05-18 10:36:19 UTC 
According to our records, this should be resolved by puppet-tripleo-5.6.8-6.el7ost.  This build is available now.
Comment 4 pkomarov 2018-05-31 11:22:50 UTC 
Verified , 

[stack@undercloud-0 ~]$ ansible overcloud -b -mshell -a'rpm -qa|grep puppet-tripleo;grep ssl_version /usr/share/openstack-puppet/modules/tripleo/manifests/stunnel/service_proxy.pp'

core_puddle_version : 2018-05-25.1


Minimum TLS version is enforced : 

controller-1 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-6.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

controller-2 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-6.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

controller-0 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-6.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

overcloud-novacomputeiha-0 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-6.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

overcloud-novacomputeiha-1 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-6.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'
Comment 6 errata-xmlrpc 2018-06-27 23:30:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2101