Project

General

Profile

Bug #58942

Disabling TLSv1.2 completely on the ceph-dashboard

Added by Nizamudeen A 6 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ernesto Puerta
Category:
General - Back-end
Target version:
-
% Done:

0%

Source:
Tags:
backport_processed
Backport:
reef, quincy, pacific
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
50494
Crash signature (v1):
Crash signature (v2):

Description

even though the default connection will always attempt to use the most secure method available, it will also respond to less secure/vulnerable protocols and cyphers, so there should be a way to completely disable TLS v1.2.

in the Dashboard module.py line 180, we have this lines

context.minimum_version = ssl.TLSVersion.TLSv1_2
context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1

it'd be a matter of increasing that to 1_3 and adding ssl.OP_NO_TLSv2

The minimum_version approach requires Python 3.7: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.minimum_version
For Py <3.7, we have to use ssl.OP_NO_TLS* flags (https://docs.python.org/3/library/ssl.html#ssl.OP_NO_TLSv1)

Description of problem

here

Environment

  • ceph version string:
  • Platform (OS/distro/release):
  • Cluster details (nodes, monitors, OSDs):
  • Did it happen on a stable environment or after a migration/upgrade?:
  • Browser used (e.g.: Version 86.0.4240.198 (Official Build) (64-bit)):

How reproducible

Steps:

  3. ...

Actual results

Please add logs and/or screenshots

Expected results

here

Additional info

here

Related issues

Copied to Dashboard - Backport #59050: reef: Disabling TLSv1.2 completely on the ceph-dashboard Resolved
Copied to Dashboard - Backport #59051: quincy: Disabling TLSv1.2 completely on the ceph-dashboard Resolved
Copied to Dashboard - Backport #59052: pacific: Disabling TLSv1.2 completely on the ceph-dashboard Resolved

History

#1 Updated by Ernesto Puerta 5 months ago

  • Status changed from New to Fix Under Review
  • Assignee changed from Pedro González Gómez to Ernesto Puerta
  • Pull request ID set to 50494

#2 Updated by Ernesto Puerta 5 months ago

  • Status changed from Fix Under Review to Pending Backport
  • Backport changed from reef, quincy to reef, quincy, pacific

#3 Updated by Backport Bot 5 months ago

  • Copied to Backport #59050: reef: Disabling TLSv1.2 completely on the ceph-dashboard added

#4 Updated by Backport Bot 5 months ago

  • Copied to Backport #59051: quincy: Disabling TLSv1.2 completely on the ceph-dashboard added

#5 Updated by Backport Bot 5 months ago

  • Copied to Backport #59052: pacific: Disabling TLSv1.2 completely on the ceph-dashboard added

#6 Updated by Backport Bot 5 months ago

  • Tags set to backport_processed

#7 Updated by Ernesto Puerta 5 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF