Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Secure Connections Standard #548

Open
wants to merge 41 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
3a497cd
Add first part of the secure connections standard
markus-hentsch Apr 4, 2024
0821bd6
Add notes about the classifications
markus-hentsch Apr 4, 2024
291b3da
Add considered options and open questions
markus-hentsch Apr 4, 2024
2810fbf
Fix linter problems
markus-hentsch Apr 4, 2024
efce5f8
Add TLS standardization
markus-hentsch Apr 4, 2024
82bbe94
Add database and message queue channel security, extend TLS cipher rules
markus-hentsch Apr 5, 2024
297e562
Add remaining decision sections
markus-hentsch Apr 5, 2024
1f1afe3
Add testing script for secure connection standard (WIP)
markus-hentsch Apr 5, 2024
b1c6f2b
Turn avoiding CBC mode into a recommendation.
markus-hentsch Apr 8, 2024
cb1242d
Refactor the TLS test script to use SSLyze
markus-hentsch Apr 8, 2024
2ff4d90
Add testing README and reference
markus-hentsch Apr 9, 2024
0d35174
Address review feedback
markus-hentsch Apr 9, 2024
3a9efd9
Fix typo in test script comment
markus-hentsch Apr 9, 2024
333f953
Add glossary and rephrase "SCS" to "SCS project"
markus-hentsch Apr 19, 2024
d69af20
Rename standard filename due to conflicting counter
markus-hentsch Apr 22, 2024
13d850d
Refine the scope in regards to the communication channels
markus-hentsch Apr 30, 2024
914631c
s/IPsec/WireGuard/
markus-hentsch Apr 30, 2024
096675b
Fix option references for oslo.messaging ssl
markus-hentsch Apr 30, 2024
73dce0a
Add RFC link for TLS deprecation
markus-hentsch Apr 30, 2024
0ed970d
Don't endorse internal CAs specifically
markus-hentsch Apr 30, 2024
a2f3e77
Refactor test script to check Mozilla TLS recommendations
markus-hentsch May 21, 2024
4885429
Update standard to reference Mozilla's TLS recommendations
markus-hentsch May 21, 2024
1cbd1d0
Migrate test script requirements to requirements.in
markus-hentsch May 22, 2024
6a0920a
Add libvirt security choices to design considerations
markus-hentsch May 23, 2024
59c7bc8
Add open question about libvirt hardening
markus-hentsch Jun 18, 2024
3bdc8a6
Relax the requirement for the libvirt port
markus-hentsch Jun 18, 2024
d166e7e
Rephrase and clarify libvirt security recommendations and questions
markus-hentsch Jun 20, 2024
e757dd2
Add Mozilla TLS JSON override option to test script
markus-hentsch Jun 28, 2024
042e5f3
Fully parameterize Mozilla TLS config in test script
markus-hentsch Jun 28, 2024
23423b8
Rename cli args in test script
markus-hentsch Jun 28, 2024
e9dacb8
Add Mozilla TLS JSON copy and staging YAML entry
markus-hentsch Jun 28, 2024
8d92617
Add remark about internal audits
markus-hentsch Jun 28, 2024
5f7ccd2
Remove specific MQ SSL config examples, refer to docs
markus-hentsch Jul 26, 2024
36780c6
Merge branch 'main' into feat/secure-communication
bitkeks Aug 9, 2024
be1848c
Merge branch 'main' into feat/secure-communication
markus-hentsch Aug 19, 2024
71a663c
Align header naming with latest standards template
markus-hentsch Aug 19, 2024
c9984db
Add storage channels
markus-hentsch Sep 12, 2024
a503303
Merge remote-tracking branch 'origin/main' into feat/secure-communica…
markus-hentsch Oct 18, 2024
5405304
Assign document number 0122
markus-hentsch Oct 18, 2024
2c47877
Update scs-compatible-test.yaml
markus-hentsch Oct 18, 2024
2be9a0a
Merge branch 'main' into feat/secure-communication
anjastrunk Nov 6, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
285 changes: 285 additions & 0 deletions Standards/scs-0122-v1-secure-connections.md

Large diffs are not rendered by default.

61 changes: 61 additions & 0 deletions Tests/iaas/secure-connections/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Secure Connections Standard Test Suite

## Test Environment Setup

> **NOTE:** The test execution procedure does not require cloud admin rights.

A valid cloud configuration for the OpenStack SDK in the shape of "`clouds.yaml`" is mandatory[^1].
**This file is expected to be located in the current working directory where the test script is executed unless configured otherwise.**

[^1]: [OpenStack Documentation: Configuring OpenStack SDK Applications](https://docs.openstack.org/openstacksdk/latest/user/config/configuration.html)

The test execution environment can be located on any system outside of the cloud infrastructure that has OpenStack API access.
Make sure that the API access is configured properly in "`clouds.yaml`".

It is recommended to use a Python virtual environment[^2].
Next, install the libraries required by the test suite:

```bash
pip3 install openstacksdk sslyze
```

> Note: the version of the sslyze library determines the [version of the Mozilla TLS recommendation JSON](https://wiki.mozilla.org/Security/Server_Side_TLS#JSON_version_of_the_recommendations) that it checks against.

Within this environment execute the test suite.

[^2]: [Python 3 Documentation: Virtual Environments and Packages](https://docs.python.org/3/tutorial/venv.html)

## Test Execution

The test suite is executed as follows:

```bash
python3 tls-checker.py --os-cloud mycloud
```

As an alternative to "`--os-cloud`", the "`OS_CLOUD`" environment variable may be specified instead.
The parameter is used to look up the correct cloud configuration in "`clouds.yaml`".
For the example command above, this file should contain a `clouds.mycloud` section like this:

```yaml
---
clouds:
mycloud:
auth:
auth_url: ...
...
...
```

For any further options consult the output of "`python3 tls-checker.py --help`".

### Script Behavior & Test Results

The script will print all actions and passed tests to `stdout`.

If all tests pass, the script will return with an exit code of `0`.

If any test fails, the script will halt, print the exact error to `stderr` and return with a non-zero exit code.

Any tests that indicate a recommendation of the standard is not met, will print a warning message under the corresponding endpoint output.
However, unmet recommendations will not count as errors.
209 changes: 209 additions & 0 deletions Tests/iaas/secure-connections/mozilla-tls-profiles/5.7.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,209 @@
{
"version": 5.7,
"href": "https://ssl-config.mozilla.org/guidelines/5.7.json",
"configurations": {
"modern": {
"certificate_curves": ["prime256v1", "secp384r1"],
"certificate_signatures": ["ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"],
"certificate_types": ["ecdsa"],
"ciphers": {
"caddy": [],
"go": [],
"iana": [],
"openssl": []
},
"ciphersuites": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
],
"dh_param_size": null,
"ecdh_param_size": 256,
"hsts_min_age": 63072000,
"maximum_certificate_lifespan": 90,
"ocsp_staple": true,
"oldest_clients": ["Firefox 63", "Android 10.0", "Chrome 70", "Edge 75", "Java 11", "OpenSSL 1.1.1", "Opera 57", "Safari 12.1"],
"recommended_certificate_lifespan": 90,
"rsa_key_size": null,
"server_preferred_order": false,
"tls_curves": ["X25519", "prime256v1", "secp384r1"],
"tls_versions": ["TLSv1.3"]
},
"intermediate": {
"certificate_curves": ["prime256v1", "secp384r1"],
"certificate_signatures": ["sha256WithRSAEncryption", "ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"],
"certificate_types": ["ecdsa", "rsa"],
"ciphers": {
"caddy": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"go": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
],
"iana": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"openssl": [
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-RSA-AES256-GCM-SHA384",
"DHE-RSA-CHACHA20-POLY1305"
]
},
"ciphersuites": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
],
"dh_param_size": 2048,
"ecdh_param_size": 256,
"hsts_min_age": 63072000,
"maximum_certificate_lifespan": 366,
"ocsp_staple": true,
"oldest_clients": ["Firefox 27", "Android 4.4.2", "Chrome 31", "Edge", "IE 11 on Windows 7", "Java 8u31", "OpenSSL 1.0.1", "Opera 20", "Safari 9"],
"recommended_certificate_lifespan": 90,
"rsa_key_size": 2048,
"server_preferred_order": false,
"tls_curves": ["X25519", "prime256v1", "secp384r1"],
"tls_versions": ["TLSv1.2", "TLSv1.3"]
},
"old": {
"certificate_curves": ["prime256v1", "secp384r1"],
"certificate_signatures": ["sha256WithRSAEncryption"],
"certificate_types": ["rsa"],
"ciphers": {
"caddy": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
],
"go": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
],
"iana": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
],
"openssl": [
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-RSA-AES256-GCM-SHA384",
"DHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA",
"ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA",
"DHE-RSA-AES128-SHA256",
"DHE-RSA-AES256-SHA256",
"AES128-GCM-SHA256",
"AES256-GCM-SHA384",
"AES128-SHA256",
"AES256-SHA256",
"AES128-SHA",
"AES256-SHA",
"DES-CBC3-SHA"
]
},
"ciphersuites": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
],
"dh_param_size": 1024,
"ecdh_param_size": 256,
"hsts_min_age": 63072000,
"maximum_certificate_lifespan": 366,
"ocsp_staple": true,
"oldest_clients": ["Firefox 1", "Android 2.3", "Chrome 1", "Edge 12", "IE8 on Windows XP", "Java 6", "OpenSSL 0.9.8", "Opera 5", "Safari 1"],
"recommended_certificate_lifespan": 90,
"rsa_key_size": 2048,
"server_preferred_order": true,
"tls_curves": ["X25519", "prime256v1", "secp384r1"],
"tls_versions": ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
}
}
}
2 changes: 2 additions & 0 deletions Tests/iaas/secure-connections/mozilla-tls-profiles/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Files in this folder are used for automated testing.
They are pulled from https://wiki.mozilla.org/Security/Server_Side_TLS#JSON_version_of_the_recommendations
Loading
Loading