This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 1813551 - Improved TLS cipher and protocol support
Summary: Improved TLS cipher and protocol support
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-octavia
Version: 17.0 (Wallaby)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ga
: ---
Assignee: Nate Johnston
QA Contact: Bruna Bonguardo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-14 11:22 UTC by Carlos Goncalves
Modified: 2024-03-16 04:25 UTC (History)
10 users (show)

Fixed In Version: openstack-octavia-8.0.1-0.20210813161814.f16f72c.el8ost python-openstacksdk-0.48.0-0.20200708092906.3b693c2.el8ost python-octaviaclient-2.3.1-0.20210714061809.51347bc.el8ost openstack-octavia-ui-7.0.1-0.20210810231808.b4c76b9.el8ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-16 13:50:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack Storyboard 2006627 0 None None None 2020-03-14 11:22:14 UTC
OpenStack Storyboard 2006733 0 None None None 2020-03-14 11:22:14 UTC
OpenStack gerrit 711376 0 None MERGED Add ability to set TLS cipher list for listeners 2020-12-10 20:04:27 UTC
OpenStack gerrit 718550 0 None MERGED Add ciphers options for listeners and pools 2021-11-17 16:48:27 UTC
OpenStack gerrit 720375 0 None MERGED Add TLS cipher blacklist to octavia.conf 2021-11-17 16:48:27 UTC
OpenStack gerrit 721351 0 None MERGED Add cipher list support for octavia 2021-11-17 16:48:27 UTC
OpenStack gerrit 745118 0 None MERGED Add TLS versions and ciphers unsets 2021-11-17 16:48:27 UTC
Red Hat Issue Tracker OSP-30475 0 None None None 2023-11-16 13:51:52 UTC
Red Hat Issue Tracker   OSP-5196 0 None None None 2023-11-16 13:50:20 UTC

Description Carlos Goncalves 2020-03-14 11:22:15 UTC 
Today the default HAProxy configuration in the Amphora provider driver does not override the default cipher list. Operators and users may want to disable weak cipher suites, for example. Operators have the ability to override that list but that is not ideal since they have to provide a custom HAProxy template file where other options other than just cipher suites need to be also set.

- Add an ability to set default SSL ciphers in the Octavia configuration 
- Add an ability to set cipher list for each listener
- Add the ability to set a cipher "blacklist" in the Octavia config that has disallowed ciphers  
- Add the ability to set pool ciphers used when connecting to member servers
- Add an ability to set default SSL protocols in the Octavia configuration 
- Add an ability to set protocol list for each listener
- Add the ability to set a protocol "blacklist" in the Octavia config that has disallowed ciphers  
- Add the ability to set pool protocols used when connecting to member servers  

https://storyboard.openstack.org/#!/story/2006627
https://storyboard.openstack.org/#!/story/2006733
https://review.opendev.org/#/q/%22Story:+2006627%22
Comment 9 spower 2022-05-31 12:14:41 UTC 
This FutureFeature for OSP 17.0 is not marked as an MVP for OSP 17.0 GA so will be targetted for review to be included in OSP 17.1. If Tech Preview is required for OSP 17.0 please clone the BZ and follow Tech Preview procedure.
Comment 19 Red Hat Bugzilla 2024-03-16 04:25:02 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.