Bug 1553273 - FedRAMP requires cloud providers to use TLS v1.1 as a minimum
Summary: FedRAMP requires cloud providers to use TLS v1.1 as a minimum
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 13.0 (Queens)
Assignee: RHOS Maint
QA Contact: pkomarov
URL:
Whiteboard:
Depends On:
Blocks: 1572353 1572355
TreeView+ depends on / blocked
 
Reported: 2018-03-08 15:35 UTC by Juan Antonio Osorio
Modified: 2018-06-27 13:35 UTC (History)
14 users (show)

Fixed In Version: puppet-tripleo-8.3.2-4.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1572353 (view as bug list)
Environment:
Last Closed: 2018-06-27 13:35:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 1754368 None None None 2018-03-08 15:35:17 UTC
OpenStack gerrit 552461 None None None 2018-04-26 19:18:11 UTC
OpenStack gerrit 562960 None None None 2018-04-29 16:38:55 UTC
Red Hat Product Errata RHEA-2018:2086 None None None 2018-06-27 13:35:54 UTC

Description Juan Antonio Osorio 2018-03-08 15:35:18 UTC
Description of problem:
Fedramp [1] recently proposed a requirement [2] for cloud providers to use TLS v1.1 as a minimum. We currently only enforce no SSL v3. So we should fix our configuration to meet this requirement.

[1] https://www.fedramp.gov/

[2] https://www.fedramp.gov/assets/resources/documents/CSP_TLS_Requirements.pdf

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Deploy OSP13
2. log into a controller
3. only no-sslv3 is in the HAProxy configuration


Expected results:
we should be disallowing TLS v1.0

Comment 1 Keith Basil 2018-03-08 15:40:42 UTC
tl;dr from the FedRAMP recommendations:

TLS is a set of cryptographic protocols that provide communications security over computer networks. NIST Special Publication 800-52, Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, required the use of TLS version 1.1 at a minimum and strongly recommended that “agencies develop migration plans to TLS version 1.2 by January 2015.” The purpose of the NIST requirement to move to TLS 1.1, or higher, is to promote the “consistent use of recommended cipher suites that encompass NIST-approved algorithms” and to protect against known and anticipated attacks on the TLS 1.0 and SSL protocols. 

FedRAMP carefully reviewed the NIST and DHS requirements and determined that each FedRAMPauthorized system must fully implement TLS version 1.1 or higher. These requirements are only applicable to federal customers. However, if a CSP is not fully implementing NIST-compliant TLS for all customers, the CSP must be able to segment federal and non-federal customers prior to authenticating, thus ensuring federal customers use NIST-compliant TLS at all times. This means NIST-compliant TLS must be implemented prior to authenticating both federal and non-federal customers for all customers.

Comment 2 Chris Jones 2018-03-27 14:36:43 UTC
@keith: for our triaging purposes, could you give an indication of the priority and severity of this?

Comment 3 Chris Jones 2018-04-10 14:38:11 UTC
This presumably affects more than just HAProxy, since we also have TLS endpoints for Redis, RabbitMQ and Galera, for PIDONE.

Comment 4 Keith Basil 2018-04-10 14:50:45 UTC
@Chris, it's pretty important. And yes, it's more than just HAProxy.

"FedRAMP-authorized systems must be fully compliant by July 1, 2018."

Our customers building FedRAMP compliant systems on top of OSP will thus be required to comply.

Comment 5 Harry Rybacki 2018-04-26 19:18:11 UTC
Upstream review has merged: https://review.openstack.org/#/c/552461/

Moving bug to POST

Comment 14 Scott Lewis 2018-04-30 14:59:49 UTC
This item has been properly Triaged and planned for the OSP13 release, and is being tagged for tracking. For details, see https://url.corp.redhat.com/1851efd

Comment 15 pkomarov 2018-05-03 05:39:57 UTC
Verified : 

core_puddle_version : 2018-05-01.6

Minimum TLS version is enforced : 

(undercloud) [stack@undercloud-0 ~]$ ansible overcloud -b -mshell -a'rpm -qa|grep puppet-tripleo;grep ssl_version /usr/share/openstack-puppet/modules/tripleo/manifests/stunnel/service_proxy.pp'

compute-1 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-4.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

compute-0 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-4.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

controller-1 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-4.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

controller-0 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-4.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

controller-2 | SUCCESS | rc=0 >>
puppet-tripleo-8.3.2-4.el7ost.noarch
# [*ssl_version*]
  $ssl_version = 'TLSv1.2'

Comment 17 errata-xmlrpc 2018-06-27 13:35:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.