cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard
verified publisher icon apache

Add settings to mark cryptographic algorithms in vpn customer gateways as excluded or obsolete

Open abh1sar opened this issue 3 weeks ago • 16 comments

Description

This PR introduces several configuration settings using which an operator can mark certain cryptographic algorithms and parameters as excluded or obsolete for VPN Customer Gateway creation for Site-to-Site VPN.

Cloud providers following modern security frameworks (e.g., ISO 27001/27017) are required to enforce and communicate approved cryptographic standards. CloudStack currently accepts several weak or deprecated algorithms without guidance to users. This PR closes that gap by giving operators explicit control over what is disallowed vs discouraged, improving security posture without breaking existing deployments.

These settings are:

1. vpn.customer.gateway.excluded.encryption.algorithms 2. vpn.customer.gateway.excluded.hashing.algorithms 3. vpn.customer.gateway.excluded.ike.versions 4. vpn.customer.gateway.excluded.dh.group 5. vpn.customer.gateway.obsolete.encryption.algorithms 6. vpn.customer.gateway.obsolete.hashing.algorithms 7. vpn.customer.gateway.obsolete.ike.versions 8. vpn.customer.gateway.obsolete.dh.group

Details :

  1. Excluded parameters are not shown to the Users in the Create and Update VPN Customer Gateway forms.
  2. Obsolete parameters are shown with a warning
  3. If a VPN gateway is already using an excluded or obsolete parameter: a. A warning icon is displayed near to it's name with a message to change the obsolete parameter. b. The Update VPN gateway form shows the setting with a warning to change it.
  4. listVpnCustomerGateways api returns two new fields obsoleteparameters and excludedparameters containing the list of obsolete and excluded parameters that the gateway is using respectively.
  5. A new field in the listCapabilities API response contains the list excluded and obsolete vpn customer gateway parameters, only if set.

Update:

Added a periodic task (Interval controlled by a configuration setting - disabled by default) to generate Alerts (Global) and events (per VPN Gateway) for existing VPN gateways that are using obsolete or excluded settings.

Documentation PR : https://github.com/apache/cloudstack-documentation/pull/605

Types of changes

  • [ ] Breaking change (fix or feature that would cause existing functionality to change)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] Enhancement (improves an existing feature and functionality)
  • [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
  • [ ] Build/CI
  • [ ] Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • [ ] Major
  • [x] Minor

Bug Severity

  • [ ] BLOCKER
  • [ ] Critical
  • [ ] Major
  • [ ] Minor
  • [ ] Trivial

Screenshots (if appropriate):

Screenshot 2025-12-01 at 1 55 23 PM Screenshot 2025-12-01 at 1 55 08 PM Screenshot 2025-12-01 at 1 54 25 PM

Alerts: Screenshot 2025-12-10 at 10 50 42 PM

Events: Screenshot 2025-12-10 at 10 51 11 PM

How Has This Been Tested?

How did you try to break this feature and the system with this change?

abh1sar avatar Dec 04 '25 16:12 abh1sar

Codecov Report

:x: Patch coverage is 43.85027% with 105 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 17.54%. Comparing base (2600965) to head (6117774). :warning: Report is 28 commits behind head on main.

Files with missing lines Patch % Lines
...com/cloud/network/vpn/Site2SiteVpnManagerImpl.java 58.82% 52 Missing and 4 partials :warning:
...in/java/com/cloud/server/ManagementServerImpl.java 0.00% 31 Missing :warning:
...api/response/Site2SiteCustomerGatewayResponse.java 0.00% 6 Missing :warning:
...src/main/java/com/cloud/api/ApiResponseHelper.java 0.00% 6 Missing :warning:
...k/api/command/user/config/ListCapabilitiesCmd.java 0.00% 3 Missing :warning:
.../cloudstack/api/response/CapabilitiesResponse.java 0.00% 3 Missing :warning:
Additional details and impacted files 
@@             Coverage Diff              @@
##               main   #12193      +/-   ##
============================================
- Coverage     17.57%   17.54%   -0.03%     
- Complexity    15550    15623      +73     
============================================
  Files          5913     5915       +2     
  Lines        529427   529935     +508     
  Branches      64677    64779     +102     
============================================
- Hits          93024    92975      -49     
- Misses       425940   426478     +538     
- Partials      10463    10482      +19
Flag Coverage Δ
uitests 3.57% <ø> (-0.02%) :arrow_down:
unittests 18.61% <43.85%> (-0.03%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Dec 04 '25 16:12 codecov[bot]

@blueorangutan package

abh1sar avatar Dec 04 '25 17:12 abh1sar

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

blueorangutan avatar Dec 04 '25 17:12 blueorangutan

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15920

blueorangutan avatar Dec 04 '25 18:12 blueorangutan

@abh1sar can you please target this branch against main branch?

nvazquez avatar Dec 08 '25 12:12 nvazquez

@blueorangutan package

abh1sar avatar Dec 09 '25 08:12 abh1sar

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

blueorangutan avatar Dec 09 '25 08:12 blueorangutan

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 15958

blueorangutan avatar Dec 09 '25 10:12 blueorangutan

@blueorangutan package

abh1sar avatar Dec 10 '25 17:12 abh1sar

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

blueorangutan avatar Dec 10 '25 17:12 blueorangutan

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15982

blueorangutan avatar Dec 10 '25 19:12 blueorangutan

@blueorangutan package

abh1sar avatar Dec 11 '25 19:12 abh1sar

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

blueorangutan avatar Dec 11 '25 19:12 blueorangutan

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16010

blueorangutan avatar Dec 11 '25 20:12 blueorangutan

@blueorangutan test

abh1sar avatar Dec 12 '25 08:12 abh1sar

@abh1sar a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

blueorangutan avatar Dec 12 '25 08:12 blueorangutan

[SF] Trillian test result (tid-14975) Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8 Total time taken: 53648 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12193-t14975-kvm-ol8.zip Smoke tests completed. 148 look OK, 2 have errors, 0 did not run Only failed and skipped tests results shown below:

Test Result Time (s) Test File
test_02_unsecure_vm_migration Error 431.17 test_vm_life_cycle.py
test_02_unsecure_vm_migration Error 431.19 test_vm_life_cycle.py
test_08_migrate_vm Error 18.17 test_vm_life_cycle.py
test_01_migrate_vm_strict_tags_success Error 66.50 test_vm_strict_host_tags.py

blueorangutan avatar Dec 13 '25 00:12 blueorangutan

@blueorangutan test

RosiKyu avatar Dec 16 '25 13:12 RosiKyu

@RosiKyu a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

blueorangutan avatar Dec 16 '25 14:12 blueorangutan

[SF] Trillian test result (tid-15002) Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8 Total time taken: 50851 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12193-t15002-kvm-ol8.zip Smoke tests completed. 150 look OK, 0 have errors, 0 did not run Only failed and skipped tests results shown below:

Test Result Time (s) Test File

blueorangutan avatar Dec 17 '25 04:12 blueorangutan

@blueorangutan package

abh1sar avatar Dec 17 '25 10:12 abh1sar

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

blueorangutan avatar Dec 17 '25 10:12 blueorangutan

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16073

blueorangutan avatar Dec 17 '25 11:12 blueorangutan

@blueorangutan test

RosiKyu avatar Dec 19 '25 15:12 RosiKyu

@RosiKyu a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

blueorangutan avatar Dec 19 '25 15:12 blueorangutan

@abh1sar - looks like there's an issue with the smoketets. Could you please have a look?

RosiKyu avatar Dec 19 '25 18:12 RosiKyu