Description of problem: Due to concern over POODLE vulnerability and weak ciphers, customer is configuring haproxy.conf options such as the following example after the deployment of the Overcloud: listen ceilometer bind 172.22.216.2:13777 ssl crt /etc/pki/instack-certs/undercloud.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3 bind 172.22.216.3:8777 server 172.22.216.1 172.22.216.1:8777 check fall 5 inter 2000 rise 2 What kind of SSL/TLS ciphers, etc. are configured by default? Is it possible to make variables such as no-sslv3 or specific ciphers configurable options?
this can be set by passing some hieradata via the ExtraConfig parameter in an environment file: parameter_defaults: ExtraConfig: 'tripleo::loadbalancer::haproxy_listen_bind_param': 'ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3' Note that by default, 'tripleo::loadbalancer::haproxy_listen_bind_param' is set to 'transparent'[1], so if you still want that parameter as well, it would look like: parameter_defaults: ExtraConfig: 'tripleo::loadbalancer::haproxy_listen_bind_param': 'transparent ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3' Note that this is going to set the bind options on both bind lines in each listen section, resulting in haproxy config that looks like (just an example): listen ceilometer bind 172.16.2.4:8777 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3 bind 192.0.3.30:8777 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3 server overcloud-controller-0 172.16.2.6:8777 check fall 5 inter 2000 rise 2 server overcloud-controller-1 172.16.2.8:8777 check fall 5 inter 2000 rise 2 server overcloud-controller-2 172.16.2.9:8777 check fall 5 inter 2000 rise 2 I don't forsee that causing any issues (when ssl is not used, the ciphers parameter is ignored). [1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-transparent
I'm not an expert in optimal SSL/TLS configs, but Mozilla security provides a tool that has different (sane) configs for old clients, intermediate, and modern clients[1]. I think giving users different presets (like in [1]) would be really helpful for customers, since I can't imagine most users knowing exactly what ciphers they do and don't trust. It seems more likely they'd say "I want to use only the most secure ciphers available, whichever those happen to be". 1: https://mozilla.github.io/server-side-tls/ssl-config-generator/ (see haproxy section)
Does it make sense to use "controllerExtraConfig" instead of "ExtraConfig"? AFAIK, "controllerExtraConfig" only applies to controller nodes while "ExtraConfig" applies to all nodes.
(In reply to James Slagle from comment #12) > this can be set by passing some hieradata via the ExtraConfig parameter in > an environment file: > > parameter_defaults: > ExtraConfig: > 'tripleo::loadbalancer::haproxy_listen_bind_param': 'ciphers > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES: > DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3' > > Note that by default, 'tripleo::loadbalancer::haproxy_listen_bind_param' is > set to 'transparent'[1], so if you still want that parameter as well, it > would look like: > > parameter_defaults: > ExtraConfig: > 'tripleo::loadbalancer::haproxy_listen_bind_param': 'transparent ciphers > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES: > DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3' > > Note that this is going to set the bind options on both bind lines in each > listen section, resulting in haproxy config that looks like (just an > example): > > listen ceilometer > bind 172.16.2.4:8777 ciphers > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES: > DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3 > bind 192.0.3.30:8777 ciphers > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES: > DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3 > server overcloud-controller-0 172.16.2.6:8777 check fall 5 inter 2000 rise > 2 > server overcloud-controller-1 172.16.2.8:8777 check fall 5 inter 2000 rise > 2 > server overcloud-controller-2 172.16.2.9:8777 check fall 5 inter 2000 rise > 2 > > I don't forsee that causing any issues (when ssl is not used, the ciphers > parameter is ignored). > > [1] > http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-transparent As Felipe Alfaro Solana observed, "tripleo::loadbalancer::haproxy_listen_bind_param" expect a list and not a string. On loadbalancer.pp: A list of params to be added to the HAProxy listener bind directive. By default the 'transparent' param is added but it should be cleared if one of the *_virtual_ip addresses is a wildcard, eg. 0.0.0.0 Defaults to [ 'transparent' ] Thanks for this information Felipe.
I tested this on OSP8 and passing the following environment file: parameter_defaults: controllerExtraConfig: 'tripleo::loadbalancer::haproxy_listen_bind_param': - 'transparent' - 'ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' - 'no-sslv3' resulted in: listen ceilometer bind 172.16.20.10:8777 transparent ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3 bind 172.16.23.10:13777 transparent ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3 ssl crt /etc/pki/tls/private/overcloud_endpoint.pem server overcloud-controller-0 172.16.20.13:8777 check fall 5 inter 2000 rise 2
Moving this bug to Juan Osorio who may actually know the answer.
It is possible to set the cipher options and ssl options with the following parameters from puppet-tripleo (which can be passed via hiera data). There parameters are https://github.com/openstack/puppet-tripleo/blob/master/manifests/loadbalancer.pp#L127 and https://github.com/openstack/puppet-tripleo/blob/master/manifests/loadbalancer.pp#L133 respectively and set these options: 'ssl-default-bind-ciphers', 'ssl-default-bind-options'. We are not using the HAProxy defaults, and have defaults that come from the Fedora system crypto policy.
backport to OSP8 submitted
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1228