Bug 1813551

Summary: Improved TLS cipher and protocol support
Product: Red Hat OpenStack Reporter: Carlos Goncalves <cgoncalves>
Component: openstack-octaviaAssignee: Nate Johnston <njohnston>
Status: CLOSED MIGRATED QA Contact: Bruna Bonguardo <bbonguar>
Severity: high Docs Contact:
Priority: high    
Version: 17.0 (Wallaby)CC: bbonguar, beagles, gurpsing, ihrachys, lpeer, majopela, njohnston, nlevinki, scohen, spower
Target Milestone: gaKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-octavia-8.0.1-0.20210813161814.f16f72c.el8ost python-openstacksdk-0.48.0-0.20200708092906.3b693c2.el8ost python-octaviaclient-2.3.1-0.20210714061809.51347bc.el8ost openstack-octavia-ui-7.0.1-0.20210810231808.b4c76b9.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-16 13:50:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Carlos Goncalves 2020-03-14 11:22:15 UTC 
Today the default HAProxy configuration in the Amphora provider driver does not override the default cipher list. Operators and users may want to disable weak cipher suites, for example. Operators have the ability to override that list but that is not ideal since they have to provide a custom HAProxy template file where other options other than just cipher suites need to be also set.

- Add an ability to set default SSL ciphers in the Octavia configuration 
- Add an ability to set cipher list for each listener
- Add the ability to set a cipher "blacklist" in the Octavia config that has disallowed ciphers  
- Add the ability to set pool ciphers used when connecting to member servers
- Add an ability to set default SSL protocols in the Octavia configuration 
- Add an ability to set protocol list for each listener
- Add the ability to set a protocol "blacklist" in the Octavia config that has disallowed ciphers  
- Add the ability to set pool protocols used when connecting to member servers  

https://storyboard.openstack.org/#!/story/2006627
https://storyboard.openstack.org/#!/story/2006733
https://review.opendev.org/#/q/%22Story:+2006627%22
Comment 9 spower 2022-05-31 12:14:41 UTC 
This FutureFeature for OSP 17.0 is not marked as an MVP for OSP 17.0 GA so will be targetted for review to be included in OSP 17.1. If Tech Preview is required for OSP 17.0 please clone the BZ and follow Tech Preview procedure.
Comment 19 Red Hat Bugzilla 2024-03-16 04:25:02 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days