Actions
Bug #58942
closedDisabling TLSv1.2 completely on the ceph-dashboard
% Done:
0%
Source:
Tags:
backport_processed
Backport:
reef, quincy, pacific
Regression:
No
Severity:
3 - minor
Reviewed:
Description
even though the default connection will always attempt to use the most secure method available, it will also respond to less secure/vulnerable protocols and cyphers, so there should be a way to completely disable TLS v1.2.
in the Dashboard module.py line 180, we have this lines
context.minimum_version = ssl.TLSVersion.TLSv1_2 context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
it'd be a matter of increasing that to 1_3 and adding ssl.OP_NO_TLSv2
The minimum_version approach requires Python 3.7: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.minimum_version
For Py <3.7, we have to use ssl.OP_NO_TLS* flags (https://docs.python.org/3/library/ssl.html#ssl.OP_NO_TLSv1)
Description of problem¶
here
Environment¶
ceph version
string:- Platform (OS/distro/release):
- Cluster details (nodes, monitors, OSDs):
- Did it happen on a stable environment or after a migration/upgrade?:
- Browser used (e.g.:
Version 86.0.4240.198 (Official Build) (64-bit)
):
How reproducible¶
Steps:
- ...
Actual results¶
Please add logs and/or screenshots
Expected results¶
here
Additional info¶
here
Updated by Ernesto Puerta about 1 year ago
- Status changed from New to Fix Under Review
- Assignee changed from Pedro González Gómez to Ernesto Puerta
- Pull request ID set to 50494
Updated by Ernesto Puerta about 1 year ago
- Status changed from Fix Under Review to Pending Backport
- Backport changed from reef, quincy to reef, quincy, pacific
Updated by Backport Bot about 1 year ago
- Copied to Backport #59050: reef: Disabling TLSv1.2 completely on the ceph-dashboard added
Updated by Backport Bot about 1 year ago
- Copied to Backport #59051: quincy: Disabling TLSv1.2 completely on the ceph-dashboard added
Updated by Backport Bot about 1 year ago
- Copied to Backport #59052: pacific: Disabling TLSv1.2 completely on the ceph-dashboard added
Updated by Ernesto Puerta about 1 year ago
- Status changed from Pending Backport to Resolved
Actions