starlingx
/
stx-puppet
Code Issues Proposed changes

Refining rule to remove weak ciphers from lighttpd 

This review will be refining https ciphers rule, for
lighttpd service on port 8443, to avoid the useof
ciphers considered weak based on the NIST list.
The ciphers excluded are the ones that use CBC,
CAMELLIA, ARIA and 3DES encryption mode, and any
cipher that uses SHA1.

The ciphers that will be used by https:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
- TLS_AES_256_GCM_SHA384 (ecdh_x25519)
- TLS_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
- TLS_AES_128_GCM_SHA256 (ecdh_x25519)

Test Plan:
PASS: Run build-pkgs -c -p puppet-manifests.
PASS: Enable https and run nmap to verify if only the
      listed ciphers are returned.
PASS: Run build-image.
PASS: Run bootstrap playbook.
PASS: Unlock controller-0.
PASS: Enable https and access horizon via browser
      using https.
PASS: Disable https and access horizon via browser
      using http.

Closes-Bug: 2054813

Change-Id: Ib21eb1155540f820a77ee7f7b9203663038ab69b
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
This commit is contained in:
Karla Felix 2024-03-11 11:16:31 -03:00
parent 8f4a787df0
commit 075a39e1a2
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
puppet-manifests/src/modules/openstack/templates/lighttpd.conf.erb
View File

@ -257,7 +257,7 @@ $SERVER["socket"] == ":<%= @https_port %>" {
ssl.ca-file = "/etc/ssl/private/server-cert.pem"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!DES:!MD5:!PSK:!RC4:!EDH-RSA-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!DES-CBC3-SHA:!AES128-SHA:!AES256-SHA:!DHE-DSS-AES128-SHA:!DHE-DSS-AES256-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA"
ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!TLSv1.1:!SHA1:!3DES:!ARIA:!SHA256:!SHA384:!DES:!CAMELLIA:!MD5:!PSK:!RC4:!AES256-GCM-SHA384:!AES256-CCM8:!AES256-CCM:!AES128-GCM-SHA256:!AES128-CCM8:!AES128-CCM"
}
$SERVER["socket"] == "[::]:<%= @https_port %>" {
@ -266,7 +266,7 @@ $SERVER["socket"] == "[::]:<%= @https_port %>" {
ssl.ca-file = "/etc/ssl/private/server-cert.pem"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!DES:!MD5:!PSK:!RC4:!EDH-RSA-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!DES-CBC3-SHA:!AES128-SHA:!AES256-SHA:!DHE-DSS-AES128-SHA:!DHE-DSS-AES256-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA"
ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!TLSv1.1:!SHA1:!3DES:!ARIA:!SHA256:!SHA384:!DES:!CAMELLIA:!MD5:!PSK:!RC4:!AES256-GCM-SHA384:!AES256-CCM8:!AES256-CCM:!AES128-GCM-SHA256:!AES128-CCM8:!AES128-CCM"
}
<% else %>
###