Add Secure Connections Standard

[markus-hentsch]

Closes #547

[josephineSei]

nice first draft - I have a few questions inline

[martinmo]

@markus-hentsch I have general remark: Because TLS configuration and security is a moving target, have you considered to base the recommended configuration on one of the profiles offered by Mozilla SSL? For example, the "intermediate" profile, see https://ssl-config.mozilla.org/ and https://wiki.mozilla.org/Security/Server_Side_TLS. (AFAIK, these can be checked with sslyze.)

[artificial-intelligence]

@markus-hentsch I have general remark: Because TLS configuration and security is a moving target, have you considered to base the recommended configuration on one of the profiles offered by Mozilla SSL? For example, the "intermediate" profile, see https://ssl-config.mozilla.org/ and https://wiki.mozilla.org/Security/Server_Side_TLS. (AFAIK, these can be checked with sslyze.)

lol, I had the same idea and actually checked our haproxy TLS implementation, seems there is some opportunity to do some hardening there:

COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
 --------------------------------------------

    Checking results against Mozilla's "MozillaTlsConfigurationEnum.INTERMEDIATE" configuration. See https://ssl-config.mozilla.org/ for more details.

    a.regiocloud.tech:443: FAILED - Not compliant.
        * ciphers: Cipher suites {'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256'} are supported, but should be rejected.

[artificial-intelligence]

working on a fix for upstream: https://bugs.launchpad.net/kolla-ansible/+bug/2060787

[anjastrunk]

Just some minor cosmetic changes:

• Is prefer to write Cloud Service Provider instead of CSP, as "CSP" is not an official abbreviation
• I do not like writing "SCS proposes..", "SCS decides...". AFAIK, SCS stands for Sovereign Cloud Stack, which is a Software Stack, which cannot decide something. I prefer to write "SCS project" or "SCS community"

But again. This is just cosmetics.

[markus-hentsch]

Just some minor cosmetic changes:

* Is prefer to write Cloud Service Provider instead of CSP, as "CSP" is not an official abbreviation

* I do not like writing "SCS proposes..", "SCS decides...". AFAIK, SCS stands for Sovereign Cloud Stack, which is a Software Stack, which cannot decide something. I prefer to write "SCS project" or "SCS community"

But again. This is just cosmetics.

I adjusted the SCS references. I left "CSP" as-is and added a glossary instead, like I did with some other standards. We seem to use CSP a lot in other standards so I'd like to stay consistent. The glossary at the top should introduce the abbreviation sufficiently now.

[josephineSei]

Overall I think this is a good starting point. We need something for the manual audits, but this may something to discuss in the standards SIG or in the IAM and Security Meeting

[artificial-intelligence]

Thanks for all the work done so far on this.

Unfortunately I think there's still some work left to do.

Thanks.

[markus-hentsch]

Updated standard and test script to use the Mozilla TLS "intermediate" preset now.

[markus-hentsch]

TODO: URL needs update as soon as number is stable

[markus-hentsch]

I updated the standard and removed the concrete config options from the RabbitMQ and Apache Kafka sections. Config snippets like these are hard to keep up-to-date in a standard. I placed links to documentation there instead.

[markus-hentsch]

@artificial-intelligence this is still marked as "requested changes" by you. Was there anything left from your review that I didn't address yet?