Pacemaker allows SSLv3 TLSv1.0 and TLSv1.1 on control ports for bundle resources in Red Hat OpenStack Platform 13
Issue
Pacemaker allows SSLv3 TLSv1.0 and TLSv1.1 on control ports for bundle resources in Red Hat OpenStack Platform 13
How to configure the TLS protocols and ciphers that pacemaker and pacemaker remote accept in Red Hat OpenStack Platform 13
- SSLv3 TLS1.0 and TLS1.1 connections are accepted on open ports 3122, 3123 and 3124 on the controller nodes. These ports being the control ports for the different resources:
[root@overcloud-controller-0 ~]# cibadmin -Q | grep control-port
<network control-port="3122"/>
<network control-port="3123"/>
<network control-port="3124"/>
<network control-port="3125"/>
Identifying the issue
- Control ports for rabbitmq-bundle, galera-bundle and redis-bundle resources are seen to accept connections over SSLv3, TLSv1.0 and TLSv1.1 in addition to TLSv1.2
[root@overcloud-controller-0 ~]# pcs resource show rabbitmq-bundle
Bundle: rabbitmq-bundle
Docker: image=192.168.24.1:8787/rhosp13/openstack-rabbitmq:pcmklatest network=host options="--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS" replicas=1 run-command="/bin/bash /usr/local/bin/kolla_start"
Network: control-port=3122
[root@overcloud-controller-0 ~]# nmap -p 3122 -Pn 172.168.20.20 --script +ssl-enum-ciphers
Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-05 11:01 UTC
Nmap scan report for 172.168.20.20
Host is up (0.000040s latency).
PORT STATE SERVICE
3122/tcp open unknown
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
| TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
| TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA256 - strong
| TLS_PSK_WITH_AES_128_GCM_SHA256 - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_GCM_SHA384 - strong
| TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
| TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
| TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds
[root@overcloud-controller-0 ~]# pcs resource show galera-bundle
Bundle: galera-bundle
Docker: image=192.168.24.1:8787/rhosp13/openstack-mariadb:pcmklatest masters=1 network=host options="--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS" replicas=1 run-command="/bin/bash /usr/local/bin/kolla_start"
Network: control-port=3123
[root@overcloud-controller-0 ~]# nmap -p 3123 -Pn 172.168.20.20 --script +ssl-enum-ciphers
Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-05 11:03 UTC
Nmap scan report for 172.168.20.20
Host is up (0.000051s latency).
PORT STATE SERVICE
3123/tcp open unknown
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
| TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
| TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA256 - strong
| TLS_PSK_WITH_AES_128_GCM_SHA256 - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_GCM_SHA384 - strong
| TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
| TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
| TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 2.52 seconds
[root@overcloud-controller-0 ~]# pcs resource show redis-bundle
Bundle: redis-bundle
Docker: image=192.168.24.1:8787/rhosp13/openstack-redis:pcmklatest masters=1 network=host options="--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS" replicas=1 run-command="/bin/bash /usr/local/bin/kolla_start"
Network: control-port=3124
[root@overcloud-controller-0 ~]# nmap -p 3124 -Pn 172.168.20.23 --script +ssl-enum-ciphers
Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-05 11:05 UTC
Nmap scan report for overcloud.internalapi.redhat.local (172.168.20.23)
Host is up (0.000055s latency).
PORT STATE SERVICE
3124/tcp open unknown
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
| TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
| TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
| TLS_DHE_PSK_WITH_RC4_128_SHA - strong
| TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA - strong
| TLS_PSK_WITH_AES_128_CBC_SHA256 - strong
| TLS_PSK_WITH_AES_128_GCM_SHA256 - strong
| TLS_PSK_WITH_AES_256_CBC_SHA - strong
| TLS_PSK_WITH_AES_256_GCM_SHA384 - strong
| TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
| TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
| TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
| TLS_PSK_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
Environment
Red Hat OpenStack Platform 13
Red Hat Enterprise Linux 7.7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.