Browse Source

Merge "Add minimum TLS version option in octavia.conf"

changes/11/656811/8
Zuul 2 years ago committed by Gerrit Code Review
parent
commit
179f00e839
  1. 4
      etc/octavia.conf
  2. 8
      octavia/api/v2/controllers/listener.py
  3. 8
      octavia/api/v2/controllers/pool.py
  4. 7
      octavia/common/config.py
  5. 37
      octavia/common/validate.py
  6. 28
      octavia/tests/unit/common/test_validations.py
  7. 6
      releasenotes/notes/min-tls-version-8e2856fb055ece2c.yaml

4
etc/octavia.conf

@ -80,6 +80,10 @@
# pools. Available versions: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
# default_pool_tls_versions = TLSv1.2, TLSv1.3
# Minimum TLS version to allow for listeners, pools, or the defaults for
# either. Available versions: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
# minimum_tls_version =
[database]
# This line MUST be changed to actually run the plugin.
# Example:

8
octavia/api/v2/controllers/listener.py

@ -288,9 +288,11 @@ class ListenersController(base.BaseController):
vip_address = vip_db.ip_address
self._validate_cidr_compatible_with_vip(vip_address, allowed_cidrs)
# Validate TLS version list
if listener_protocol == constants.PROTOCOL_TERMINATED_HTTPS:
# Validate TLS version list
validate.check_tls_version_list(listener_dict['tls_versions'])
# Validate TLS versions against minimum
validate.check_tls_version_min(listener_dict['tls_versions'])
try:
db_listener = self.repositories.listener.create(
@ -498,9 +500,11 @@ class ListenersController(base.BaseController):
'The following ciphers have been blacklisted by an '
'administrator: ' + ', '.join(rejected_ciphers)))
# Validate TLS version list
if listener.tls_versions is not wtypes.Unset:
# Validate TLS version list
validate.check_tls_version_list(listener.tls_versions)
# Validate TLS versions against minimum
validate.check_tls_version_min(listener.tls_versions)
def _set_default_on_none(self, listener):
"""Reset settings to their default values if None/null was passed in

8
octavia/api/v2/controllers/pool.py

@ -131,9 +131,11 @@ class PoolsController(base.BaseController):
'The following ciphers have been blacklisted by an '
'administrator: ' + ', '.join(rejected_ciphers)))
# Validate TLS version list
if pool_dict['tls_enabled']:
# Validate TLS version list
validate.check_tls_version_list(pool_dict['tls_versions'])
# Validate TLS versions against minimum
validate.check_tls_version_min(pool_dict['tls_versions'])
try:
return self.repositories.create_pool_on_load_balancer(
@ -403,9 +405,11 @@ class PoolsController(base.BaseController):
"The following ciphers have been blacklisted by an "
"administrator: " + ', '.join(rejected_ciphers)))
# Validate TLS version list
if pool.tls_versions is not wtypes.Unset:
# Validate TLS version list
validate.check_tls_version_list(pool.tls_versions)
# Validate TLS version against minimum
validate.check_tls_version_min(pool.tls_versions)
@wsme_pecan.wsexpose(pool_types.PoolRootResponse, wtypes.text,
body=pool_types.PoolRootPut, status_code=200)

7
octavia/common/config.py

@ -123,7 +123,11 @@ api_opts = [
cfg.ListOpt('default_pool_tls_versions',
default=constants.TLS_VERSIONS_OWASP_SUITE_B,
help=_('List of TLS versions to use for new TLS-enabled '
'pools.'))
'pools.')),
cfg.StrOpt('minimum_tls_version',
default=None,
choices=constants.TLS_ALL_VERSIONS + [None],
help=_('Minimum allowed TLS version for listeners and pools.'))
]
# Options only used by the amphora agent
@ -875,6 +879,7 @@ def init(args, **kwargs):
version='%%prog %s' % version.version_info.release_string(),
**kwargs)
handle_deprecation_compatibility()
validate.check_default_tls_versions_min_conflict()
setup_remote_debugger()
validate.check_default_ciphers_blacklist_conflict()

37
octavia/common/validate.py

@ -471,3 +471,40 @@ def check_tls_version_list(versions):
if invalid_versions:
raise exceptions.ValidationException(
detail=_('Invalid TLS versions: ' + ', '.join(invalid_versions)))
def check_tls_version_min(versions, message=None):
"""Checks a TLS version string against the configured minimum."""
if not CONF.api_settings.minimum_tls_version:
return
if not message:
message = _("Requested TLS versions are less than the minimum: ")
min_ver_index = constants.TLS_ALL_VERSIONS.index(
CONF.api_settings.minimum_tls_version)
rejected = []
for ver in versions:
if constants.TLS_ALL_VERSIONS.index(ver) < min_ver_index:
rejected.append(ver)
if rejected:
raise exceptions.ValidationException(detail=(
message + ', '.join(rejected) + " < " +
CONF.api_settings.minimum_tls_version))
def check_default_tls_versions_min_conflict():
if not CONF.api_settings.minimum_tls_version:
return
listener_message = _("Default listener TLS versions are less than the "
"minimum: ")
pool_message = _("Default pool TLS versions are less than the minimum: ")
check_tls_version_min(CONF.api_settings.default_listener_tls_versions,
message=listener_message)
check_tls_version_min(CONF.api_settings.default_pool_tls_versions,
message=pool_message)

28
octavia/tests/unit/common/test_validations.py

@ -484,3 +484,31 @@ class TestValidations(base.TestCase):
exceptions.ValidationException,
validate.check_tls_version_list,
[])
def test_check_tls_version_min(self):
self.conf.config(group="api_settings", minimum_tls_version='TLSv1.2')
# Test valid list
validate.check_tls_version_min(['TLSv1.2', 'TLSv1.3'])
# Test invalid list
self.assertRaises(exceptions.ValidationException,
validate.check_tls_version_min,
['TLSv1', 'TLSv1.1', 'TLSv1.2'])
def test_check_default_tls_versions_min_conflict(self):
self.conf.config(group="api_settings", minimum_tls_version='TLSv1.2')
# Test conflict in listener default
self.conf.config(group="api_settings", default_listener_tls_versions=[
'SSLv3', 'TLSv1.2'])
self.assertRaises(exceptions.ValidationException,
validate.check_default_tls_versions_min_conflict)
# Test conflict in pool default
self.conf.config(group="api_settings", default_listener_tls_versions=[
'TLSv1.2'])
self.conf.config(group="api_settings", default_pool_tls_versions=[
'TLSv1', 'TLSv1.3'])
self.assertRaises(exceptions.ValidationException,
validate.check_default_tls_versions_min_conflict)

6
releasenotes/notes/min-tls-version-8e2856fb055ece2c.yaml

@ -0,0 +1,6 @@
---
features:
- |
Added ``minimum_tls_version`` to ``octavia.conf``. Listeners, pools, and
the defaults for either will be blocked from using any lower TLS versions.
By default, there is no minumum version.
Loading…
Cancel
Save