Pacemaker allows SSLv3 TLSv1.0 and TLSv1.1 on control ports for bundle resources in Red Hat OpenStack Platform 13

Solution In Progress - Updated -

Issue

Pacemaker allows SSLv3 TLSv1.0 and TLSv1.1 on control ports for bundle resources in Red Hat OpenStack Platform 13

How to configure the TLS protocols and ciphers that pacemaker and pacemaker remote accept in Red Hat OpenStack Platform 13

  • SSLv3 TLS1.0 and TLS1.1 connections are accepted on open ports 3122, 3123 and 3124 on the controller nodes. These ports being the control ports for the different resources:
[root@overcloud-controller-0 ~]#   cibadmin -Q | grep control-port
        <network control-port="3122"/>
        <network control-port="3123"/>
        <network control-port="3124"/>
        <network control-port="3125"/>

Identifying the issue

  • Control ports for rabbitmq-bundle, galera-bundle and redis-bundle resources are seen to accept connections over SSLv3, TLSv1.0 and TLSv1.1 in addition to TLSv1.2
[root@overcloud-controller-0 ~]# pcs resource show rabbitmq-bundle
 Bundle: rabbitmq-bundle
  Docker: image=192.168.24.1:8787/rhosp13/openstack-rabbitmq:pcmklatest network=host options="--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS" replicas=1 run-command="/bin/bash /usr/local/bin/kolla_start"
  Network: control-port=3122

 [root@overcloud-controller-0 ~]# nmap -p 3122 -Pn 172.168.20.20 --script +ssl-enum-ciphers

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-05 11:01 UTC
Nmap scan report for 172.168.20.20
Host is up (0.000040s latency).
PORT     STATE SERVICE
3122/tcp open  unknown
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
|       TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
|       TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA256 - strong
|       TLS_PSK_WITH_AES_128_GCM_SHA256 - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_GCM_SHA384 - strong
|       TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
|       TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
|       TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds

[root@overcloud-controller-0 ~]# pcs resource show galera-bundle
 Bundle: galera-bundle
  Docker: image=192.168.24.1:8787/rhosp13/openstack-mariadb:pcmklatest masters=1 network=host options="--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS" replicas=1 run-command="/bin/bash /usr/local/bin/kolla_start"
  Network: control-port=3123

[root@overcloud-controller-0 ~]# nmap -p 3123 -Pn 172.168.20.20 --script +ssl-enum-ciphers

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-05 11:03 UTC
Nmap scan report for 172.168.20.20
Host is up (0.000051s latency).
PORT     STATE SERVICE
3123/tcp open  unknown
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
|       TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
|       TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA256 - strong
|       TLS_PSK_WITH_AES_128_GCM_SHA256 - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_GCM_SHA384 - strong
|       TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
|       TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
|       TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 2.52 seconds

[root@overcloud-controller-0 ~]# pcs resource show redis-bundle
 Bundle: redis-bundle
  Docker: image=192.168.24.1:8787/rhosp13/openstack-redis:pcmklatest masters=1 network=host options="--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS" replicas=1 run-command="/bin/bash /usr/local/bin/kolla_start"
  Network: control-port=3124

[root@overcloud-controller-0 ~]# nmap -p 3124 -Pn 172.168.20.23 --script +ssl-enum-ciphers

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-05 11:05 UTC
Nmap scan report for overcloud.internalapi.redhat.local (172.168.20.23)
Host is up (0.000055s latency).
PORT     STATE SERVICE
3124/tcp open  unknown
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
|       TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
|       TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
|       TLS_DHE_PSK_WITH_RC4_128_SHA - strong
|       TLS_PSK_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA - strong
|       TLS_PSK_WITH_AES_128_CBC_SHA256 - strong
|       TLS_PSK_WITH_AES_128_GCM_SHA256 - strong
|       TLS_PSK_WITH_AES_256_CBC_SHA - strong
|       TLS_PSK_WITH_AES_256_GCM_SHA384 - strong
|       TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - strong
|       TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 - strong
|       TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 - strong
|       TLS_PSK_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

Environment

Red Hat OpenStack Platform 13
Red Hat Enterprise Linux 7.7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In