Disallow SSLv2, SSLv3 and TLS1.0 in mysql for FedRAMP compliance

We cannot disable a specific protocol when using SSL in mysql, so in order to enforce TLS1.1 or greater, we disallow all ciphers provided by SSLv2 SSLv3 and TLS1.0. Galera group communication cannot be configured with a list of available ciphers, so configure gcomm to use AES128-SHA256, which seems to be the closest from the default AES128-SHA. Inherit the cipher list settings for the rsync SST. Change-Id: Ib3625020e60665f91b9009e7f06b9b25a6970a9b
2018-04-27 12:37:07 -04:00 · 2018-04-27 12:37:07 -04:00 · 1c46f6e1cd
parent 6b9f8a5f26
commit 1c46f6e1cd
3 changed files with 59 additions and 10 deletions
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@ -38,6 +38,11 @@
 #       principal: "mysql/<overcloud controller fqdn>"
 #   Defaults to {}.
 #
+# [*cipher_list*]
+#   (Optional) When enable_internal_tls is true, defines the list of allowed
+#   ciphers for the mysql server.
+#   Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1'
+#
 # [*enable_internal_tls*]
 #   (Optional) Whether TLS in the internal network is enabled or not.
 #   Defaults to hiera('enable_internal_tls', false)
@ -78,6 +83,7 @@ class tripleo::profile::base::database::mysql (
  $bind_address                  = $::hostname,
  $bootstrap_node                = hiera('bootstrap_nodeid', undef),
  $certificate_specs             = {},
+  $cipher_list                   = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1',
  $enable_internal_tls           = hiera('enable_internal_tls', false),
  $generate_dropin_file_limit    = false,
  $innodb_buffer_pool_size       = hiera('innodb_buffer_pool_size', undef),
@ -100,12 +106,14 @@ class tripleo::profile::base::database::mysql (
  if $enable_internal_tls {
    $tls_certfile = $certificate_specs['service_certificate']
    $tls_keyfile = $certificate_specs['service_key']
+    $tls_cipher_list = $cipher_list

    # Force users/grants created to use TLS connections
    Openstacklib::Db::Mysql <||> { tls_options => ['SSL'] }
  } else {
    $tls_certfile = undef
    $tls_keyfile = undef
+    $tls_cipher_list = undef
  }

  # non-ha scenario
@ -136,6 +144,7 @@ class tripleo::profile::base::database::mysql (
        'ssl'                     => $enable_internal_tls,
        'ssl-key'                 => $tls_keyfile,
        'ssl-cert'                => $tls_certfile,
+        'ssl-cipher'              => $tls_cipher_list,
        'ssl-ca'                  => undef,
      }
    }
--- a/manifests/profile/pacemaker/database/mysql.pp
+++ b/manifests/profile/pacemaker/database/mysql.pp
@ -59,10 +59,21 @@
 #   one step.
 #   Defaults to hiera('innodb_flush_log_at_trx_commit', '1')
 #
+# [*cipher_list*]
+#   (Optional) When enable_internal_tls is true, defines the list of allowed
+#   ciphers for the mysql server and Galera (including SST).
+#   Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1'
+#
+# [*gcomm_cipher*]
+#   (Optional) When enable_internal_tls is true, defines the cipher
+#   used by Galera for the gcomm replication traffic.
+#   Defaults to 'AES128-SHA256'
+#
 # [*sst_tls_cipher*]
 #   (Optional) When enable_internal_tls is true, defines the list of
-#   ciphers that the socat may use to tunnel SST connections.
-#   Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
+#   ciphers that the socat may use to tunnel SST connections. Deprecated,
+#   now socat is configured based on option cipher_list.
+#   Defaults to undef
 #
 # [*sst_tls_options*]
 #   (Optional) When enable_internal_tls is true, defines additional
@ -86,11 +97,13 @@ class tripleo::profile::pacemaker::database::mysql (
  $bootstrap_node                 = hiera('mysql_short_bootstrap_node_name'),
  $bind_address                   = $::hostname,
  $ca_file                        = undef,
+  $cipher_list                    = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1',
+  $gcomm_cipher                   = 'AES128-SHA256',
  $certificate_specs              = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
  $enable_internal_tls            = hiera('enable_internal_tls', false),
  $gmcast_listen_addr             = hiera('mysql_bind_host'),
  $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'),
-  $sst_tls_cipher                 = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
+  $sst_tls_cipher                 = undef,
  $sst_tls_options                = undef,
  $ipv6                           = str2bool(hiera('mysql_ipv6', false)),
  $step                           = Integer(hiera('step')),
@ -134,14 +147,20 @@ class tripleo::profile::pacemaker::database::mysql (
      $tls_ca_options = ''
      $sst_tca = {}
    }
-    $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};"
+    $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};socket.ssl_cipher=${gcomm_cipher};${tls_ca_options};"
    $wsrep_sst_method = 'rsync_tunnel'
    if $ipv6 {
      $sst_ipv6 = 'pf=ip6'
    } else {
      $sst_ipv6 = undef
    }
-    $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6]
+    if defined(sst_tls_cipher) {
+      warning('The sst_tls_cipher parameter is deprecated, use cipher_list')
+      $sst_cipher = $sst_tls_cipher
+    } else {
+      $sst_cipher = $cipher_list
+    }
+    $all_sst_options = ["cipher=${sst_cipher}", $sst_tls_options, $sst_ipv6]
    $sst_sockopt = {
      'sockopt' => join(delete_undef_values($all_sst_options), ',')
    }
@ -209,6 +228,7 @@ class tripleo::profile::pacemaker::database::mysql (
    manage_resources        => false,
    remove_default_accounts => $remove_default_accounts,
    mysql_server_options    => $mysqld_options,
+    cipher_list             => $cipher_list
  }

  if $step >= 1 and $pacemaker_master and hiera('stack_action') == 'UPDATE' {
--- a/manifests/profile/pacemaker/database/mysql_bundle.pp
+++ b/manifests/profile/pacemaker/database/mysql_bundle.pp
@ -67,10 +67,21 @@
 #   one step.
 #   Defaults to hiera('innodb_flush_log_at_trx_commit', '1')
 #
+# [*cipher_list*]
+#   (Optional) When enable_internal_tls is true, defines the list of allowed
+#   ciphers for the mysql server and Galera (including SST).
+#   Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1'
+#
+# [*gcomm_cipher*]
+#   (Optional) When enable_internal_tls is true, defines the cipher
+#   used by Galera for the gcomm replication traffic.
+#   Defaults to 'AES128-SHA256'
+#
 # [*sst_tls_cipher*]
 #   (Optional) When enable_internal_tls is true, defines the list of
-#   ciphers that the socat may use to tunnel SST connections.
-#   Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
+#   ciphers that the socat may use to tunnel SST connections. Deprecated,
+#   now socat is configured based on option cipher_list.
+#   Defaults to undef
 #
 # [*sst_tls_options*]
 #   (Optional) When enable_internal_tls is true, defines additional
@ -97,11 +108,13 @@ class tripleo::profile::pacemaker::database::mysql_bundle (
  $bootstrap_node                 = hiera('mysql_short_bootstrap_node_name'),
  $bind_address                   = $::hostname,
  $ca_file                        = undef,
+  $cipher_list                    = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1',
+  $gcomm_cipher                   = 'AES128-SHA256',
  $certificate_specs              = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
  $enable_internal_tls            = hiera('enable_internal_tls', false),
  $gmcast_listen_addr             = hiera('mysql_bind_host'),
  $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'),
-  $sst_tls_cipher                 = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
+  $sst_tls_cipher                 = undef,
  $sst_tls_options                = undef,
  $ipv6                           = str2bool(hiera('mysql_ipv6', false)),
  $pcs_tries                      = hiera('pcs_tries', 20),
@ -147,14 +160,20 @@ class tripleo::profile::pacemaker::database::mysql_bundle (
      $tls_ca_options = ''
      $sst_tca = {}
    }
-    $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};"
+    $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};socket.ssl_cipher=${gcomm_cipher};${tls_ca_options};"
    $wsrep_sst_method = 'rsync_tunnel'
    if $ipv6 {
      $sst_ipv6 = 'pf=ip6'
    } else {
      $sst_ipv6 = undef
    }
-    $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6]
+    if defined(sst_tls_cipher) {
+      warning('The sst_tls_cipher parameter is deprecated, use cipher_list')
+      $sst_cipher = $sst_tls_cipher
+    } else {
+      $sst_cipher = $cipher_list
+    }
+    $all_sst_options = ["cipher=${sst_cipher}", $sst_tls_options, $sst_ipv6]
    $sst_sockopt = {
      'sockopt' => join(delete_undef_values($all_sst_options), ',')
    }
@ -258,6 +277,7 @@ MYSQL_HOST=localhost\n",
      manage_resources        => false,
      remove_default_accounts => $remove_default_accounts,
      mysql_server_options    => $mysqld_options,
+      cipher_list             => $cipher_list
    }

    if $pacemaker_master {