Secure communication standard for IaaS infastructure #547
Comments
|
Major communication channels that need to be secured:
Resources: |
|
Most of the configuration adjustments proposed here cannot be verified via external tests unfortunately. Only the public-facing APIs can be checked for TLS by inspecting Keystone's service catalog, contacting each public endpoint and verifying its TLS handshake. All the internal stuff would be up to dedicated audits with access to the infrastructure. Speaking of TLS handshakes, I think we should also forbid using older/weak TLS versions and ciphers in the standard. |
|
I began adding TLS specifics to the standard based on the official guidelines on ssl.com1. I think we should align this to the most commonly and broadly accepted current recommendations around TLS. Footnotes |
Might I ask why you choose this specific guide? E.g. I think this guide is better: https://ssl-config.mozilla.org/ because it does not focus on compliance but on security. |
No particular reason. I was just looking for some form of official consensus on current SSL/TLS recommendations to base the standard on. I guess the Mozilla ones12 would be a good alternative. @martinmo had the same thought apparently: #548 (comment) :) I will have a look. Footnotes |
|
I've had a look and it seems that sslyze does indeed support checking against the Mozilla recommendations directly. We could simplify the maintenance effort for this standard by referencing Mozilla's recommendations. However, this would mean referencing recommendations which are also a moving target themselves potentially (how often does Mozilla update this?). I've put it on the agenda for the next IaaS call. |
We discussed this on the SIG Standardization / Certification call: SovereignCloudStack/minutes/sig-standardization/20240516.md#tracking-moving-targets-tls-recommendations-from-mozilla I updated the standard and test script to use the Mozilla TLS recommendations instead after figuring out how that works with the SSLyze library. Sadly, the library only ships the single most recent Mozilla TLS preset version at the time of the library version release1. So, when executing, you cannot choose between the versions of the recommendations. This means the recommendation version is coupled to the library version in a non-obvious way (different version numbers, requiring manual lookup). We should pin the SSLyze library version for the test together with the JSON of the recommendation. Footnotes |
Problem with parameterizing the SSLyze version using /pull/595I looked at the implementation of #595 and tried to adjust the PR of this issue accordingly but it seems that the problem is not properly addressed yet. Due to
... as stated above, parameterization is necessary when implementing the standard and executing tests. This had been mentioned in #592 which was implemented in #595. However this did not consider the
As a result, specifying the SSLyze library version in the There seem to be dirty hacks to install pip packages from within Python code but I'm not a fan. |
|
That's unfortunate. I'm not sure there's a good solution for that, because we need to have a |
|
Another idea would be to vendor sslyze somehow and do so for multiple versions at a time, so we could select the version that we want at runtime (import time) and import that one. |
Solution ideas for the SSLyze versioning dilemmaContext: #547 (comment) a) Modifying the call to the SSLyze library to change version
b) Changing the virtualenv from within the script
c) Vendoring the necessary package versions
d) Monkey patching a different Mozilla JSON in
e) Upstream contribution or fork
Thoughts
Footnotes
|
Good point! I think we can work around the following problem mentioned in c:
as follows: We could indeed prepare one venv per sslyze version that we want to have (maybe prepare during build time, but it could also happen during "dev time"). Then we use The script |
Au contraire! After digging and experimenting a bit more, the following has proven to work: from sslyze.mozilla_tls_profile.mozilla_config_checker import (
MozillaTlsConfigurationChecker,
_MozillaTlsProfileAsJson)
json_file = open(...)
mozilla_json_preset = json.load(json_file)
parsed_profile = _MozillaTlsProfileAsJson(**mozilla_json_preset)
mozilla_checker = MozillaTlsConfigurationChecker(parsed_profile)
mozilla_checker.check_server(...)It is the custom alternative to: mozilla_checker = MozillaTlsConfigurationChecker.get_default()and mimicks its behavior regarding loading the JSON file. We don't need to fiddle with the SSLyze version at all (as long as the implementation does not change the imported classes and functions) and only need to ship and reference the Mozilla JSONs. I vastly prefer this over the other alternatives now. EDIT: implemented changes in the test script. |
|
+1 from me for solution (a) from #547 (comment) I think this is a good compromise, even if Just as a side note, for the venv per sslyze approach you could also use |
|
fwiw my patch to unify the haproxy TLS settings and to update them to a modern standard was finally merged today :https://review.opendev.org/c/openstack/kolla-ansible/+/915403 so on new openstack releases you should only see properly secured TLS API endpoints (if TLS is enabled). |
As a customer I expect the communication channels to and between infrastructure components of an SCS cloud to be secured appropriately, so that in-transit data is protected.
As a CSP I want to establish secure communication channels adhering to the corresponding SCS standard the users can rely on.
Contents
Definition of Done:
Please refer to scs-0001-v1 for details.
scs-xxxx-v1-slug.md(only substituteslug)status,type,tracksetDraft, file renamed:xxxxreplaced by document numberDraft)The text was updated successfully, but these errors were encountered: