From a2e929e64671b8285262df137d2ecf7db2c2b8d7 Mon Sep 17 00:00:00 2001 From: Nizamudeen A Date: Wed, 27 Sep 2023 16:57:32 +0530 Subject: [PATCH] mgr/dashboard: allow tls 1.2 with a config option MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Provide the option to allow tls1.2 `ceph dashboard set-enable-unsafe-tls-v1-2 True` followed with a mgr restart will enable tls 1.2. With tls1.2 enabled ``` ╰─$ nmap -sV --script ssl-enum-ciphers -p 11000 127.0.0.1 Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-27 16:56 IST Nmap scan report for localhost (127.0.0.1) Host is up (0.00018s latency). PORT STATE SERVICE VERSION 11000/tcp open ssl/http CherryPy wsgiserver |_http-server-header: Ceph-Dashboard | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A | cipher preference: server |_ least strength: A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.55 seconds ``` Without tls1.2 enabled (which defaults to tls 1.3) ``` ╰─$ nmap -sV --script ssl-enum-ciphers -p 11000 127.0.0.1 Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-27 16:54 IST Nmap scan report for localhost (127.0.0.1) Host is up (0.000075s latency). PORT STATE SERVICE VERSION 11000/tcp open ssl/http CherryPy wsgiserver | ssl-enum-ciphers: | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A | cipher preference: server |_ least strength: A |_http-server-header: Ceph-Dashboard ``` Fixes: https://tracker.ceph.com/issues/62940 Signed-off-by: Nizamudeen A (cherry picked from commit 219c62bea60083c0e59a86454b0cecf8afaf9780) --- src/pybind/mgr/dashboard/module.py | 12 +++++++++--- src/pybind/mgr/dashboard/settings.py | 2 ++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py index efef273bda06d..68725be6e3559 100644 --- a/src/pybind/mgr/dashboard/module.py +++ b/src/pybind/mgr/dashboard/module.py @@ -33,7 +33,7 @@ from .services.auth import AuthManager, AuthManagerTool, JwtManager from .services.exception import dashboard_exception_handler from .services.rgw_client import configure_rgw_credentials from .services.sso import SSO_COMMANDS, handle_sso_command -from .settings import handle_option_command, options_command_list, options_schema_list +from .settings import Settings, handle_option_command, options_command_list, options_schema_list from .tools import NotificationQueue, RequestLoggingTool, TaskManager, \ prepare_url_prefix, str_to_bool @@ -178,9 +178,15 @@ class CherryPyConfig(object): context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) context.load_cert_chain(cert_fname, pkey_fname) if sys.version_info >= (3, 7): - context.minimum_version = ssl.TLSVersion.TLSv1_3 + if Settings.UNSAFE_TLS_v1_2: + context.minimum_version = ssl.TLSVersion.TLSv1_2 + else: + context.minimum_version = ssl.TLSVersion.TLSv1_3 else: - context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2 + if Settings.UNSAFE_TLS_v1_2: + context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 + else: + context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2 config['server.ssl_module'] = 'builtin' config['server.ssl_certificate'] = cert_fname diff --git a/src/pybind/mgr/dashboard/settings.py b/src/pybind/mgr/dashboard/settings.py index 6018f0d7f9c73..d4e06a9cc8dc4 100644 --- a/src/pybind/mgr/dashboard/settings.py +++ b/src/pybind/mgr/dashboard/settings.py @@ -119,6 +119,8 @@ class Options(object): 'gateway', 'logs', 'crush', 'maps']), [str]) + UNSAFE_TLS_v1_2 = Setting(False, [bool]) + @staticmethod def has_default_value(name): return getattr(Settings, name, None) is None or \ -- 2.39.5