elektra icon indicating copy to clipboard operation
elektra copied to clipboard

Published 20 hours ago verified publisher icon sapcc

[lbaas] Add possibility to specify cipher suites

Open BenjaminLudwigSAP opened this issue 3 years ago • 1 comments

I've implemented the custom cipher suites feature in our LBaaS backend driver, so it can now be used. As of 2022-10-21 I'm currently in the middle of rolling out to prod.

The feature allows users to specify a colon-separated list of cipher suites via the tls_ciphers API parameter, usable at listener creation and pool creation. The cipher suites that can be used are specified in an allow list. If tls_ciphers is not set at listener/pool creation, a default will be used. Both the allow list and defaults are specified in the charts here.

Please implement a way for the user to optionally enter a colon-separated list of cipher suites when creating a listener or pool. When invalid cipher suites are entered, the API will respond with an error indicating which cipher suites are allowed. Please display that error. It looks e. g. like this:

benjamin@ubuntu2004:~$ openstack loadbalancer listener create --name invalid_ciphers --protocol TCP --protocol-port 80 --tls-ciphers 'foo:bar' d0252697-21e4-4383-82a1-cdea6a6bdf01
Validation failure: The following ciphers have been prohibited by an administrator: foo, bar. The allowed ciphers are defined by this cipher string: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA:AES128-SHA:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA:AES256-SHA:AES256-SHA256:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384 (HTTP 400) (Request-ID: req-76aff841-13e4-412c-b54b-2a73ebc6df1e)

Unfortunately there is no way to discover the allowed cipher suites via the API other than to send an invalid list of cipher suites. Additionally the allowed cipher suites can be discovered via Octavia's values.yaml in the charts.

(Please don't implement TLS versions for now)

BenjaminLudwigSAP avatar Oct 21 '22 10:10 BenjaminLudwigSAP

Hi! Would you please create a shared value yaml file with these tls_ciphers, so it can be consumed by octavia and elektra without involving us to do any changes? We don’t want to hard code any lists of values anymore in elektra, The same we did with Galvani where Fabus can himself change the values and it will appear with the next deploy of elektra through a configmap.

ArtieReus avatar Oct 21 '22 12:10 ArtieReus