Force amp-agent communication to TLSv1.2
Also allow configuration of this minimum. The previous default of SSLv2/3 is very insecure. Change-Id: If34c7c34d9a6a77685fb177976dc2070760c7b37
This commit is contained in:
Adam Harwell
parent
987a6b3f1d
commit
5b831f2a5b
|
|
@ -298,6 +298,9 @@
|
|||
# agent_server_network_file =
|
||||
# agent_request_read_timeout = 180
|
||||
|
||||
# Minimum TLS protocol, eg: TLS, TLSv1.1, TLSv1.2, TLSv1.3 (if available)
|
||||
# agent_tls_protocol = TLSv1.2
|
||||
|
||||
# Amphora default UDP driver is keepalived_lvs
|
||||
#
|
||||
# amphora_udp_driver = keepalived_lvs
|
||||
|
|
|
|||
|
|
@ -58,4 +58,5 @@ class AgentJinjaTemplater(object):
|
|||
'respawn_count': CONF.haproxy_amphora.respawn_count,
|
||||
'respawn_interval': CONF.haproxy_amphora.respawn_interval,
|
||||
'amphora_udp_driver': CONF.amphora_agent.amphora_udp_driver,
|
||||
'agent_tls_protocol': CONF.amphora_agent.agent_tls_protocol,
|
||||
'topology': topology})
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@ agent_server_network_file = {{ agent_server_network_file }}
|
|||
agent_request_read_timeout = {{ agent_request_read_timeout }}
|
||||
amphora_id = {{ amphora_id }}
|
||||
amphora_udp_driver = {{ amphora_udp_driver }}
|
||||
agent_tls_protocol = {{ agent_tls_protocol }}
|
||||
|
||||
[controller_worker]
|
||||
loadbalancer_topology = {{ topology }}
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@
|
|||
import functools
|
||||
import hashlib
|
||||
import os
|
||||
import ssl
|
||||
import time
|
||||
import warnings
|
||||
|
||||
|
|
@ -403,6 +404,12 @@ class CustomHostNameCheckingAdapter(requests.adapters.HTTPAdapter):
|
|||
return super(CustomHostNameCheckingAdapter,
|
||||
self).cert_verify(conn, url, verify, cert)
|
||||
|
||||
def init_poolmanager(self, *pool_args, **pool_kwargs):
|
||||
proto = CONF.amphora_agent.agent_tls_protocol.replace('.', '_')
|
||||
pool_kwargs['ssl_version'] = getattr(ssl, "PROTOCOL_%s" % proto)
|
||||
return super(CustomHostNameCheckingAdapter,
|
||||
self).init_poolmanager(*pool_args, **pool_kwargs)
|
||||
|
||||
|
||||
class AmphoraAPIClient(object):
|
||||
def __init__(self):
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@
|
|||
# make sure PYTHONPATH includes the home directory if you didn't install
|
||||
|
||||
import multiprocessing as multiproc
|
||||
import ssl
|
||||
import sys
|
||||
|
||||
import gunicorn.app.base
|
||||
|
|
@ -68,6 +69,7 @@ def main():
|
|||
|
||||
bind_ip_port = utils.ip_port_str(CONF.haproxy_amphora.bind_host,
|
||||
CONF.haproxy_amphora.bind_port)
|
||||
proto = CONF.amphora_agent.agent_tls_protocol.replace('.', '_')
|
||||
options = {
|
||||
'bind': bind_ip_port,
|
||||
'workers': 1,
|
||||
|
|
@ -75,6 +77,7 @@ def main():
|
|||
'certfile': CONF.amphora_agent.agent_server_cert,
|
||||
'ca_certs': CONF.amphora_agent.agent_server_ca,
|
||||
'cert_reqs': True,
|
||||
'ssl_version': getattr(ssl, "PROTOCOL_%s" % proto),
|
||||
'preload_app': True,
|
||||
'accesslog': '/var/log/amphora-agent.log',
|
||||
'errorlog': '/var/log/amphora-agent.log',
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ Routines for configuring Octavia
|
|||
"""
|
||||
|
||||
import os
|
||||
import ssl
|
||||
import sys
|
||||
|
||||
from keystoneauth1 import loading as ks_loading
|
||||
|
|
@ -34,6 +35,9 @@ from octavia import version
|
|||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
TLS_PROTOCOL_CHOICES = [
|
||||
p[9:].replace('_', '.') for p in ssl._PROTOCOL_NAMES.values()]
|
||||
|
||||
|
||||
core_opts = [
|
||||
cfg.HostnameOpt('host', default=utils.get_hostname(),
|
||||
|
|
@ -110,6 +114,10 @@ amphora_agent_opts = [
|
|||
cfg.IntOpt('agent_request_read_timeout', default=180,
|
||||
help=_("The time in seconds to allow a request from the "
|
||||
"controller to run before terminating the socket.")),
|
||||
cfg.StrOpt('agent_tls_protocol', default='TLSv1.2',
|
||||
help=_("Minimum TLS protocol for communication with the "
|
||||
"amphora agent."),
|
||||
choices=TLS_PROTOCOL_CHOICES),
|
||||
# Do not specify in octavia.conf, loaded at runtime
|
||||
cfg.StrOpt('amphora_id', help=_("The amphora ID.")),
|
||||
cfg.StrOpt('amphora_udp_driver',
|
||||
|
|
|
|||
|
|
@ -81,7 +81,8 @@ class AgentJinjaTestCase(base.TestCase):
|
|||
'/etc/network/interfaces.d/\n'
|
||||
'agent_request_read_timeout = 180\n'
|
||||
'amphora_id = ' + AMP_ID + '\n'
|
||||
'amphora_udp_driver = keepalived_lvs\n\n'
|
||||
'amphora_udp_driver = keepalived_lvs\n'
|
||||
'agent_tls_protocol = TLSv1.2\n\n'
|
||||
'[controller_worker]\n'
|
||||
'loadbalancer_topology = ' +
|
||||
constants.TOPOLOGY_SINGLE)
|
||||
|
|
@ -119,7 +120,8 @@ class AgentJinjaTestCase(base.TestCase):
|
|||
'/etc/network/interfaces\n'
|
||||
'agent_request_read_timeout = 180\n'
|
||||
'amphora_id = ' + AMP_ID + '\n'
|
||||
'amphora_udp_driver = keepalived_lvs\n\n'
|
||||
'amphora_udp_driver = keepalived_lvs\n'
|
||||
'agent_tls_protocol = TLSv1.2\n\n'
|
||||
'[controller_worker]\n'
|
||||
'loadbalancer_topology = ' +
|
||||
constants.TOPOLOGY_ACTIVE_STANDBY)
|
||||
|
|
@ -157,7 +159,8 @@ class AgentJinjaTestCase(base.TestCase):
|
|||
'/etc/network/interfaces.d/\n'
|
||||
'agent_request_read_timeout = 180\n'
|
||||
'amphora_id = ' + AMP_ID + '\n'
|
||||
'amphora_udp_driver = new_udp_driver\n\n'
|
||||
'amphora_udp_driver = new_udp_driver\n'
|
||||
'agent_tls_protocol = TLSv1.2\n\n'
|
||||
'[controller_worker]\n'
|
||||
'loadbalancer_topology = ' +
|
||||
constants.TOPOLOGY_SINGLE)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
Communication between the control-plane and the amphora-agent now uses
|
||||
minimum TLSv1.2 by default, and is configurable. The previous default of
|
||||
SSLv2/3 is widely considered insecure.
|
||||
Loading…
Reference in New Issue