How to secure SSL/TLS configuration of Red Hat OpenStack Platform against DROWN and Poodle Attack

Solution In Progress - Updated -

Issue

Note: For later versions of OSP, see the documentation. E.g., for OSP 13, refer to: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/index#changing_the_ssl_tls_cipher_and_rules_for_haproxy

A verification via an SSL analyzer (e.g. ssllabs ) of horizon and swift endpoints receives classification F due the fact that the SSL/TLS configuration is vulnerable for Poodle and DROWN attack. How can one fix that?

Some of the error message that one might see in addition to poodle:

 - DROWN attack (Experimental: This server is vulnerable to the DROWN attack. Grade set to F.) *
 - Weak Diffie-Hellman *
 - This server accepts RC4 cipher, but only with older protocol versions *
 - This server's certificate chain is incomplete *

Environment

Red Hat Enterprise Linux OpenStack Platform 7.0
Red Hat OpenStack Platform 8.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In