search

sapcc / elektra

An opinionated openstack Web UI for consumer self service and operations.
Apache License 2.0
74 stars 28 forks source link

[lbaas] Add possibility to specify cipher suites #1141

Closed BenjaminLudwigSAP closed 1 year ago

BenjaminLudwigSAP commented 2 years ago

I've implemented the custom cipher suites feature in our LBaaS backend driver, so it can now be used. As of 2022-10-21 I'm currently in the middle of rolling out to prod.

The feature allows users to specify a colon-separated list of cipher suites via the tls_ciphers API parameter, usable at listener creation and pool creation. The cipher suites that can be used are specified in an allow list. If tls_ciphers is not set at listener/pool creation, a default will be used. Both the allow list and defaults are specified in the charts here.

Please implement a way for the user to optionally enter a colon-separated list of cipher suites when creating a listener or pool. When invalid cipher suites are entered, the API will respond with an error indicating which cipher suites are allowed. Please display that error. It looks e. g. like this:

benjamin@ubuntu2004:~$ openstack loadbalancer listener create --name invalid_ciphers --protocol TCP --protocol-port 80 --tls-ciphers 'foo:bar' d0252697-21e4-4383-82a1-cdea6a6bdf01
Validation failure: The following ciphers have been prohibited by an administrator: foo, bar. The allowed ciphers are defined by this cipher string: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA:AES128-SHA:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA:AES256-SHA:AES256-SHA256:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384 (HTTP 400) (Request-ID: req-76aff841-13e4-412c-b54b-2a73ebc6df1e)

Unfortunately there is no way to discover the allowed cipher suites via the API other than to send an invalid list of cipher suites. Additionally the allowed cipher suites can be discovered via Octavia's values.yaml in the charts.

(Please don't implement TLS versions for now)

ArtieReus commented 2 years ago

Hi! Would you please create a shared value yaml file with these tls_ciphers, so it can be consumed by octavia and elektra without involving us to do any changes? We don’t want to hard code any lists of values anymore in elektra, The same we did with Galvani where Fabus can himself change the values and it will appear with the next deploy of elektra through a configmap.