Force amp-agent communication to TLSv1.2

Also allow configuration of this minimum.
The previous default of SSLv2/3 is very insecure.

Change-Id: If34c7c34d9a6a77685fb177976dc2070760c7b37
This commit is contained in:
Adam Harwell 2019-05-08 15:40:28 -07:00
parent 987a6b3f1d
commit 5b831f2a5b
8 changed files with 35 additions and 3 deletions

View File

@ -298,6 +298,9 @@
# agent_server_network_file =
# agent_request_read_timeout = 180
# Minimum TLS protocol, eg: TLS, TLSv1.1, TLSv1.2, TLSv1.3 (if available)
# agent_tls_protocol = TLSv1.2
# Amphora default UDP driver is keepalived_lvs
#
# amphora_udp_driver = keepalived_lvs

View File

@ -58,4 +58,5 @@ class AgentJinjaTemplater(object):
'respawn_count': CONF.haproxy_amphora.respawn_count,
'respawn_interval': CONF.haproxy_amphora.respawn_interval,
'amphora_udp_driver': CONF.amphora_agent.amphora_udp_driver,
'agent_tls_protocol': CONF.amphora_agent.agent_tls_protocol,
'topology': topology})

View File

@ -42,6 +42,7 @@ agent_server_network_file = {{ agent_server_network_file }}
agent_request_read_timeout = {{ agent_request_read_timeout }}
amphora_id = {{ amphora_id }}
amphora_udp_driver = {{ amphora_udp_driver }}
agent_tls_protocol = {{ agent_tls_protocol }}
[controller_worker]
loadbalancer_topology = {{ topology }}

View File

@ -15,6 +15,7 @@
import functools
import hashlib
import os
import ssl
import time
import warnings
@ -403,6 +404,12 @@ class CustomHostNameCheckingAdapter(requests.adapters.HTTPAdapter):
return super(CustomHostNameCheckingAdapter,
self).cert_verify(conn, url, verify, cert)
def init_poolmanager(self, *pool_args, **pool_kwargs):
proto = CONF.amphora_agent.agent_tls_protocol.replace('.', '_')
pool_kwargs['ssl_version'] = getattr(ssl, "PROTOCOL_%s" % proto)
return super(CustomHostNameCheckingAdapter,
self).init_poolmanager(*pool_args, **pool_kwargs)
class AmphoraAPIClient(object):
def __init__(self):

View File

@ -15,6 +15,7 @@
# make sure PYTHONPATH includes the home directory if you didn't install
import multiprocessing as multiproc
import ssl
import sys
import gunicorn.app.base
@ -68,6 +69,7 @@ def main():
bind_ip_port = utils.ip_port_str(CONF.haproxy_amphora.bind_host,
CONF.haproxy_amphora.bind_port)
proto = CONF.amphora_agent.agent_tls_protocol.replace('.', '_')
options = {
'bind': bind_ip_port,
'workers': 1,
@ -75,6 +77,7 @@ def main():
'certfile': CONF.amphora_agent.agent_server_cert,
'ca_certs': CONF.amphora_agent.agent_server_ca,
'cert_reqs': True,
'ssl_version': getattr(ssl, "PROTOCOL_%s" % proto),
'preload_app': True,
'accesslog': '/var/log/amphora-agent.log',
'errorlog': '/var/log/amphora-agent.log',

View File

@ -18,6 +18,7 @@ Routines for configuring Octavia
"""
import os
import ssl
import sys
from keystoneauth1 import loading as ks_loading
@ -34,6 +35,9 @@ from octavia import version
LOG = logging.getLogger(__name__)
TLS_PROTOCOL_CHOICES = [
p[9:].replace('_', '.') for p in ssl._PROTOCOL_NAMES.values()]
core_opts = [
cfg.HostnameOpt('host', default=utils.get_hostname(),
@ -110,6 +114,10 @@ amphora_agent_opts = [
cfg.IntOpt('agent_request_read_timeout', default=180,
help=_("The time in seconds to allow a request from the "
"controller to run before terminating the socket.")),
cfg.StrOpt('agent_tls_protocol', default='TLSv1.2',
help=_("Minimum TLS protocol for communication with the "
"amphora agent."),
choices=TLS_PROTOCOL_CHOICES),
# Do not specify in octavia.conf, loaded at runtime
cfg.StrOpt('amphora_id', help=_("The amphora ID.")),
cfg.StrOpt('amphora_udp_driver',

View File

@ -81,7 +81,8 @@ class AgentJinjaTestCase(base.TestCase):
'/etc/network/interfaces.d/\n'
'agent_request_read_timeout = 180\n'
'amphora_id = ' + AMP_ID + '\n'
'amphora_udp_driver = keepalived_lvs\n\n'
'amphora_udp_driver = keepalived_lvs\n'
'agent_tls_protocol = TLSv1.2\n\n'
'[controller_worker]\n'
'loadbalancer_topology = ' +
constants.TOPOLOGY_SINGLE)
@ -119,7 +120,8 @@ class AgentJinjaTestCase(base.TestCase):
'/etc/network/interfaces\n'
'agent_request_read_timeout = 180\n'
'amphora_id = ' + AMP_ID + '\n'
'amphora_udp_driver = keepalived_lvs\n\n'
'amphora_udp_driver = keepalived_lvs\n'
'agent_tls_protocol = TLSv1.2\n\n'
'[controller_worker]\n'
'loadbalancer_topology = ' +
constants.TOPOLOGY_ACTIVE_STANDBY)
@ -157,7 +159,8 @@ class AgentJinjaTestCase(base.TestCase):
'/etc/network/interfaces.d/\n'
'agent_request_read_timeout = 180\n'
'amphora_id = ' + AMP_ID + '\n'
'amphora_udp_driver = new_udp_driver\n\n'
'amphora_udp_driver = new_udp_driver\n'
'agent_tls_protocol = TLSv1.2\n\n'
'[controller_worker]\n'
'loadbalancer_topology = ' +
constants.TOPOLOGY_SINGLE)

View File

@ -0,0 +1,6 @@
---
security:
- |
Communication between the control-plane and the amphora-agent now uses
minimum TLSv1.2 by default, and is configurable. The previous default of
SSLv2/3 is widely considered insecure.