harden haproxy TLS configuration

harden the TLS default config according to the mozilla "modern" recommendation: https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7 if you want to revert to the old settings, set: kolla_haproxy_ssl_settings: "legacy" in globals.yaml alternatively you can also set it to "intermediate" for a middle ground between security and accessibility. this also adjusts the glance and neutron tls proxy ssl settings in their dedicated haproxy config templates to use the same mechanism. also add some haproxy related docs to the TLS guide and cross reference it from the haproxy-guide. Closes-Bug: #2060787 Signed-off-by: Sven Kieske <kieske@osism.tech> Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

harden haproxy TLS configuration
b13fa5a9 · Sven Kieske · f8b81d8e · b13fa5a9 · b13fa5a9 · b13fa5a9
Unverified Commit b13fa5a9 authored 11 months ago by Sven Kieske
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -402,6 +402,28 @@ grafana_server_listen_port: "{{ grafana_server_port }}"
 haproxy_stats_port: "1984"
 haproxy_monitor_port: "61313"
 haproxy_ssh_port: "2985"
+# configure SSL/TLS settings for haproxy config, one of [modern, intermediate, legacy]:
+kolla_haproxy_ssl_settings: "modern"
+
+haproxy_ssl_settings: "{{ ssl_legacy_settings if kolla_haproxy_ssl_settings == 'legacy' else ssl_intermediate_settings if kolla_haproxy_ssl_settings == 'intermediate' else ssl_modern_settings | default(ssl_modern_settings) }}"
+
+ssl_legacy_settings: |
+    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
+    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
+
+ssl_intermediate_settings: |
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+ssl_modern_settings: |
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
+    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

 heat_internal_fqdn: "{{ kolla_internal_fqdn }}"
 heat_external_fqdn: "{{ kolla_external_fqdn }}"

--- a/ansible/roles/glance/templates/glance-tls-proxy.cfg.j2
+++ b/ansible/roles/glance/templates/glance-tls-proxy.cfg.j2
@@ -10,9 +10,11 @@ global
    {% if (glance_tls_proxy_threads | int > 1) and (glance_tls_proxy_thread_cpu_map | bool) %}
    cpu-map auto:1/all 0-63
    {% endif %}
-    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
-    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
+    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}
+    {{ haproxy_ssl_settings }}
    tune.ssl.default-dh-param 4096
+    ca-base {{ haproxy_backend_cacert_dir }}
+    {% endif %}

 defaults
    log global

--- a/ansible/roles/loadbalancer/templates/haproxy/haproxy_main.cfg.j2
+++ b/ansible/roles/loadbalancer/templates/haproxy/haproxy_main.cfg.j2
@@ -13,8 +13,7 @@ global
    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660{% if haproxy_socket_level_admin | bool %} level admin{% endif %}

    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}
-    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
-    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
+    {{ haproxy_ssl_settings }}
    tune.ssl.default-dh-param 4096
    ca-base {{ haproxy_backend_cacert_dir }}
    {% endif %}

--- a/ansible/roles/neutron/templates/neutron-tls-proxy.cfg.j2
+++ b/ansible/roles/neutron/templates/neutron-tls-proxy.cfg.j2
@@ -10,9 +10,11 @@ global
    {% if (neutron_tls_proxy_threads | int > 1) and (neutron_tls_proxy_thread_cpu_map | bool) %}
    cpu-map auto:1/all 0-63
    {% endif %}
-    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
-    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
+    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}
+    {{ haproxy_ssl_settings }}
    tune.ssl.default-dh-param 4096
+    ca-base {{ haproxy_backend_cacert_dir }}
+    {% endif %}

 defaults
    log global

--- a/doc/source/admin/tls.rst
+++ b/doc/source/admin/tls.rst
@@ -363,3 +363,29 @@ options for TLS as is.

 If using this option, make sure that all certificates are present on the
 appropriate hosts in the appropriate location.
+
+.. _haproxy-tls-settings:
+
+HAProxy TLS related settings
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You can select between different SSL/TLS ciphers by setting the following
+in ``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+   kolla_haproxy_ssl_settings: "modern" # or "intermediate" or "legacy"
+
+The default value is "modern". These settings are adapted from the
+`Mozilla SSL Configuration Generator <https://ssl-config.mozilla.org/>`__.
+
+The setting "modern" is recommended for most deployments. The setting
+"intermediate" is recommended for deployments that need to support older
+clients. The setting "legacy" is not recommended, but is left as a
+compatibility option for older deployments.
+
+See the `Mozilla SSL Configuration Generator <https://ssl-config.mozilla.org/>`__
+for more information on exact supported client versions.
+
+The ``kolla_haproxy_ssl_settings`` setting also affects the glance and
+neutron haproxy TLS settings, if these proxy services are enabled.
--- a/doc/source/reference/high-availability/haproxy-guide.rst
+++ b/doc/source/reference/high-availability/haproxy-guide.rst
@@ -92,3 +92,8 @@ disabled by setting the following in ``/etc/kolla/globals.yml``:
 .. code-block:: yaml

   haproxy_enable_http2: "no"
+
+SSL/TLS Settings
+----------------
+
+For SSL/TLS related settings refer to the :ref:`haproxy-tls-settings` section.
--- a/releasenotes/notes/harden_haproxy_tls_config-6a70503d8a124b2a.yaml
+++ b/releasenotes/notes/harden_haproxy_tls_config-6a70503d8a124b2a.yaml
+---
+features:
+  - |
+    Harden the HAProxy TLS default configuration according to the mozilla
+    ``modern`` recommendation:
+
+    `<https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7>`__
+
+    If you want to revert back to the old behaviour, e.g. because
+    you have old clients, you can do so by setting the following
+    variable in your globals.yml:
+
+    ``kolla_haproxy_ssl_settings: legacy`` or if you want to have
+    at least some improved security settings:
+    ``kolla_haproxy_ssl_settings: intermediate``
+
+    See `LP#2060787 <https://bugs.launchpad.net/kolla-ansible/+bug/2060787>`__
+upgrade:
+  - |
+    If you have old clients that do not support the new TLS settings,
+    you can revert back to the old behaviour by setting the following
+    variable in your globals.yml:
+
+    ``kolla_haproxy_ssl_settings: legacy`` or if you want to have
+    at least some improved security settings:
+    ``kolla_haproxy_ssl_settings: intermediate``
+
+    See `LP#2060787 <https://bugs.launchpad.net/kolla-ansible/+bug/2060787>`__