Description of problem: Fedramp [1] recently proposed a requirement [2] for cloud providers to use TLS v1.1 as a minimum. We currently only enforce no SSL v3. So we should fix our configuration to meet this requirement. [1] https://www.fedramp.gov/ [2] https://www.fedramp.gov/assets/resources/documents/CSP_TLS_Requirements.pdf Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Deploy OSP13 2. log into a controller 3. only no-sslv3 is in the HAProxy configuration Expected results: we should be disallowing TLS v1.0
tl;dr from the FedRAMP recommendations: TLS is a set of cryptographic protocols that provide communications security over computer networks. NIST Special Publication 800-52, Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, required the use of TLS version 1.1 at a minimum and strongly recommended that “agencies develop migration plans to TLS version 1.2 by January 2015.” The purpose of the NIST requirement to move to TLS 1.1, or higher, is to promote the “consistent use of recommended cipher suites that encompass NIST-approved algorithms” and to protect against known and anticipated attacks on the TLS 1.0 and SSL protocols. FedRAMP carefully reviewed the NIST and DHS requirements and determined that each FedRAMPauthorized system must fully implement TLS version 1.1 or higher. These requirements are only applicable to federal customers. However, if a CSP is not fully implementing NIST-compliant TLS for all customers, the CSP must be able to segment federal and non-federal customers prior to authenticating, thus ensuring federal customers use NIST-compliant TLS at all times. This means NIST-compliant TLS must be implemented prior to authenticating both federal and non-federal customers for all customers.
@keith: for our triaging purposes, could you give an indication of the priority and severity of this?
This presumably affects more than just HAProxy, since we also have TLS endpoints for Redis, RabbitMQ and Galera, for PIDONE.
@Chris, it's pretty important. And yes, it's more than just HAProxy. "FedRAMP-authorized systems must be fully compliant by July 1, 2018." Our customers building FedRAMP compliant systems on top of OSP will thus be required to comply.
Upstream review has merged: https://review.openstack.org/#/c/552461/ Moving bug to POST
This item has been properly Triaged and planned for the OSP13 release, and is being tagged for tracking. For details, see https://url.corp.redhat.com/1851efd
Verified : core_puddle_version : 2018-05-01.6 Minimum TLS version is enforced : (undercloud) [stack@undercloud-0 ~]$ ansible overcloud -b -mshell -a'rpm -qa|grep puppet-tripleo;grep ssl_version /usr/share/openstack-puppet/modules/tripleo/manifests/stunnel/service_proxy.pp' compute-1 | SUCCESS | rc=0 >> puppet-tripleo-8.3.2-4.el7ost.noarch # [*ssl_version*] $ssl_version = 'TLSv1.2' compute-0 | SUCCESS | rc=0 >> puppet-tripleo-8.3.2-4.el7ost.noarch # [*ssl_version*] $ssl_version = 'TLSv1.2' controller-1 | SUCCESS | rc=0 >> puppet-tripleo-8.3.2-4.el7ost.noarch # [*ssl_version*] $ssl_version = 'TLSv1.2' controller-0 | SUCCESS | rc=0 >> puppet-tripleo-8.3.2-4.el7ost.noarch # [*ssl_version*] $ssl_version = 'TLSv1.2' controller-2 | SUCCESS | rc=0 >> puppet-tripleo-8.3.2-4.el7ost.noarch # [*ssl_version*] $ssl_version = 'TLSv1.2'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086