Website does not meet Agency's DIT (Data In Transit) or TLS (Transport Layer Security) requirements

[cowen23]

Environment

VMware Red Hat Enterprise Linux release 8.8 (Ootpa) d103da8

Issue details

After meza deploy monolith, the haproxy configuration does not meet NASA specs.

Edit /etc/haproxy/haproxy.cfg and update settings based on NASA-SPEC-2650 for TLS. Set ciphers: ssl-default-bind-ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-SEED-SHA:!DHE-RSA-CAMELLIA128-SHA

Set protocols: ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

Commented out port 80:

frontend www-http

bind *:80

reqadd X-Forwarded-Proto:\ http

default_backend www-backend

Set HSTS max-age to one year: http-response set-header Strict-Transport-Security max-age=31557600;\ includeSubDomains;\ preload;

Each administrator should copy their server's certificate, unencrypted certificate key, and CA chain into /etc/haproxy/certs/meza.pem Ex. cat server.crt server.key ca-bundle.crt > meza.pem

Also, update template so that future deployments retain the settings: /opt/meza/src/roles/haproxy/templates/haproxy.cfg.j2

NASA-SPEC-2650_v4.0_TLS.pdf

[revansx]

I hope to have this fixed soon. Thanks!

[revansx]

the cipher's will be added to the haproxy template directly and the port 80 will be conditional based on a public.yml setting that we will update the deploy script to solicit from the user if it doesn't already exist in public.yml

[ndc-rkevans]

Fixed in 39.x with https://github.com/nasa/meza/commit/8eb2240370e9c1f875facdda40ead13611d62c9b