From 1c46f6e1cd6fbaee688e153422a951acfbdaf4f6 Mon Sep 17 00:00:00 2001 From: Damien Ciabrini Date: Fri, 27 Apr 2018 12:37:07 -0400 Subject: [PATCH] Disallow SSLv2, SSLv3 and TLS1.0 in mysql for FedRAMP compliance We cannot disable a specific protocol when using SSL in mysql, so in order to enforce TLS1.1 or greater, we disallow all ciphers provided by SSLv2 SSLv3 and TLS1.0. Galera group communication cannot be configured with a list of available ciphers, so configure gcomm to use AES128-SHA256, which seems to be the closest from the default AES128-SHA. Inherit the cipher list settings for the rsync SST. Change-Id: Ib3625020e60665f91b9009e7f06b9b25a6970a9b --- manifests/profile/base/database/mysql.pp | 9 ++++++ manifests/profile/pacemaker/database/mysql.pp | 30 +++++++++++++++---- .../pacemaker/database/mysql_bundle.pp | 30 +++++++++++++++---- 3 files changed, 59 insertions(+), 10 deletions(-) diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index e96c67bc3..b3316d4c1 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -38,6 +38,11 @@ # principal: "mysql/" # Defaults to {}. # +# [*cipher_list*] +# (Optional) When enable_internal_tls is true, defines the list of allowed +# ciphers for the mysql server. +# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1' +# # [*enable_internal_tls*] # (Optional) Whether TLS in the internal network is enabled or not. # Defaults to hiera('enable_internal_tls', false) @@ -78,6 +83,7 @@ class tripleo::profile::base::database::mysql ( $bind_address = $::hostname, $bootstrap_node = hiera('bootstrap_nodeid', undef), $certificate_specs = {}, + $cipher_list = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1', $enable_internal_tls = hiera('enable_internal_tls', false), $generate_dropin_file_limit = false, $innodb_buffer_pool_size = hiera('innodb_buffer_pool_size', undef), @@ -100,12 +106,14 @@ class tripleo::profile::base::database::mysql ( if $enable_internal_tls { $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] + $tls_cipher_list = $cipher_list # Force users/grants created to use TLS connections Openstacklib::Db::Mysql <||> { tls_options => ['SSL'] } } else { $tls_certfile = undef $tls_keyfile = undef + $tls_cipher_list = undef } # non-ha scenario @@ -136,6 +144,7 @@ class tripleo::profile::base::database::mysql ( 'ssl' => $enable_internal_tls, 'ssl-key' => $tls_keyfile, 'ssl-cert' => $tls_certfile, + 'ssl-cipher' => $tls_cipher_list, 'ssl-ca' => undef, } } diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index 0d7eed990..b3f8dc61a 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -59,10 +59,21 @@ # one step. # Defaults to hiera('innodb_flush_log_at_trx_commit', '1') # +# [*cipher_list*] +# (Optional) When enable_internal_tls is true, defines the list of allowed +# ciphers for the mysql server and Galera (including SST). +# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1' +# +# [*gcomm_cipher*] +# (Optional) When enable_internal_tls is true, defines the cipher +# used by Galera for the gcomm replication traffic. +# Defaults to 'AES128-SHA256' +# # [*sst_tls_cipher*] # (Optional) When enable_internal_tls is true, defines the list of -# ciphers that the socat may use to tunnel SST connections. -# Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' +# ciphers that the socat may use to tunnel SST connections. Deprecated, +# now socat is configured based on option cipher_list. +# Defaults to undef # # [*sst_tls_options*] # (Optional) When enable_internal_tls is true, defines additional @@ -86,11 +97,13 @@ class tripleo::profile::pacemaker::database::mysql ( $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), $bind_address = $::hostname, $ca_file = undef, + $cipher_list = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1', + $gcomm_cipher = 'AES128-SHA256', $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $gmcast_listen_addr = hiera('mysql_bind_host'), $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'), - $sst_tls_cipher = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $sst_tls_cipher = undef, $sst_tls_options = undef, $ipv6 = str2bool(hiera('mysql_ipv6', false)), $step = Integer(hiera('step')), @@ -134,14 +147,20 @@ class tripleo::profile::pacemaker::database::mysql ( $tls_ca_options = '' $sst_tca = {} } - $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};socket.ssl_cipher=${gcomm_cipher};${tls_ca_options};" $wsrep_sst_method = 'rsync_tunnel' if $ipv6 { $sst_ipv6 = 'pf=ip6' } else { $sst_ipv6 = undef } - $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6] + if defined(sst_tls_cipher) { + warning('The sst_tls_cipher parameter is deprecated, use cipher_list') + $sst_cipher = $sst_tls_cipher + } else { + $sst_cipher = $cipher_list + } + $all_sst_options = ["cipher=${sst_cipher}", $sst_tls_options, $sst_ipv6] $sst_sockopt = { 'sockopt' => join(delete_undef_values($all_sst_options), ',') } @@ -209,6 +228,7 @@ class tripleo::profile::pacemaker::database::mysql ( manage_resources => false, remove_default_accounts => $remove_default_accounts, mysql_server_options => $mysqld_options, + cipher_list => $cipher_list } if $step >= 1 and $pacemaker_master and hiera('stack_action') == 'UPDATE' { diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp index 7913ce2ab..df25403f6 100644 --- a/manifests/profile/pacemaker/database/mysql_bundle.pp +++ b/manifests/profile/pacemaker/database/mysql_bundle.pp @@ -67,10 +67,21 @@ # one step. # Defaults to hiera('innodb_flush_log_at_trx_commit', '1') # +# [*cipher_list*] +# (Optional) When enable_internal_tls is true, defines the list of allowed +# ciphers for the mysql server and Galera (including SST). +# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1' +# +# [*gcomm_cipher*] +# (Optional) When enable_internal_tls is true, defines the cipher +# used by Galera for the gcomm replication traffic. +# Defaults to 'AES128-SHA256' +# # [*sst_tls_cipher*] # (Optional) When enable_internal_tls is true, defines the list of -# ciphers that the socat may use to tunnel SST connections. -# Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' +# ciphers that the socat may use to tunnel SST connections. Deprecated, +# now socat is configured based on option cipher_list. +# Defaults to undef # # [*sst_tls_options*] # (Optional) When enable_internal_tls is true, defines additional @@ -97,11 +108,13 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), $bind_address = $::hostname, $ca_file = undef, + $cipher_list = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1', + $gcomm_cipher = 'AES128-SHA256', $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), $enable_internal_tls = hiera('enable_internal_tls', false), $gmcast_listen_addr = hiera('mysql_bind_host'), $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'), - $sst_tls_cipher = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $sst_tls_cipher = undef, $sst_tls_options = undef, $ipv6 = str2bool(hiera('mysql_ipv6', false)), $pcs_tries = hiera('pcs_tries', 20), @@ -147,14 +160,20 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( $tls_ca_options = '' $sst_tca = {} } - $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};socket.ssl_cipher=${gcomm_cipher};${tls_ca_options};" $wsrep_sst_method = 'rsync_tunnel' if $ipv6 { $sst_ipv6 = 'pf=ip6' } else { $sst_ipv6 = undef } - $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6] + if defined(sst_tls_cipher) { + warning('The sst_tls_cipher parameter is deprecated, use cipher_list') + $sst_cipher = $sst_tls_cipher + } else { + $sst_cipher = $cipher_list + } + $all_sst_options = ["cipher=${sst_cipher}", $sst_tls_options, $sst_ipv6] $sst_sockopt = { 'sockopt' => join(delete_undef_values($all_sst_options), ',') } @@ -258,6 +277,7 @@ MYSQL_HOST=localhost\n", manage_resources => false, remove_default_accounts => $remove_default_accounts, mysql_server_options => $mysqld_options, + cipher_list => $cipher_list } if $pacemaker_master {