Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mgr/dashboard: force TLS 1.3 #50494

Merged
merged 1 commit into from Mar 13, 2023
Merged

mgr/dashboard: force TLS 1.3 #50494

merged 1 commit into from Mar 13, 2023

Conversation

epuertat
Copy link
Member

@epuertat epuertat commented Mar 13, 2023
edited

Fixes: https://tracker.ceph.com/issues/58942

Before

Every 1,0s: nmap --script ssl-enum-ciphers -p 11000 0.0.0.0     theseus.localhost.localdomain: Mon Mar 13 11:11:09 2023

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 11:11 CET
Nmap scan report for 0.0.0.0
Host is up (0.000095s latency).

PORT	  STATE SERVICE
11000/tcp open  irisa
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|	TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|	TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
|	TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|	TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
|	TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|	TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|	TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|	TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|	NULL
|     cipher preference: server
|   TLSv1.3:
|     ciphers:
|	TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|	TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|	TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|	TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

After

Every 1,0s: nmap --script ssl-enum-ciphers -p 11000 0.0.0.0     theseus.localhost.localdomain: Mon Mar 13 11:09:48 2023

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 11:09 CET
Nmap scan report for 0.0.0.0
Host is up (0.000092s latency).

PORT	  STATE SERVICE
11000/tcp open  irisa
| ssl-enum-ciphers:
|   TLSv1.3:
|     ciphers:
|	TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|	TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|	TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|	TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds

Contribution Guidelines

Checklist

  • Tracker (select at least one)
    • References tracker ticket
    • Very recent bug; references commit where it was introduced
    • New feature (ticket optional)
    • Doc update (no ticket needed)
    • Code cleanup (no ticket needed)
  • Component impact
    • Affects Dashboard, opened tracker ticket
    • Affects Orchestrator, opened tracker ticket
    • No impact that needs to be tracked
  • Documentation (select at least one)
    • Updates relevant documentation
    • No doc update is appropriate
  • Tests (select at least one)
Show available Jenkins commands
  • jenkins retest this please
  • jenkins test classic perf
  • jenkins test crimson perf
  • jenkins test signed
  • jenkins test make check
  • jenkins test make check arm64
  • jenkins test submodules
  • jenkins test dashboard
  • jenkins test dashboard cephadm
  • jenkins test api
  • jenkins test docs
  • jenkins render docs
  • jenkins test ceph-volume all
  • jenkins test ceph-volume tox
  • jenkins test windows

@epuertat
mgr/dashboard: force TLS 1.3
cd89466 
Fixes: https://tracker.ceph.com/issues/58942

Signed-off-by: Ernesto Puerta <epuertat@redhat.com>
@epuertat epuertat requested a review from a team as a code owner March 13, 2023 10:09
@epuertat epuertat requested review from avanthakkar and pereman2 and removed request for a team March 13, 2023 10:09
@epuertat
Copy link
Member Author

Failures:

1) Mirroring page
       rbd mirroring bootstrap
         should generate and import the bootstrap token between clusters:
     AssertionError: Timed out retrying after 120000ms: Expected to find element: `cd-pool-list`, but never found it.
      at Context.eval (https://172.21.5.38:7820/__cypress/tests?p=cypress/integration/block/mirroring.e2e-spec.ts:217:21)

  2) Mirroring page
       rbd mirroring bootstrap
         "after each" hook for "should generate and import the bootstrap token between clusters":
     HttpErrorResponse: The following error originated from your application code, not from Cypress.

  > Http failure response for https://172.21.5.38:7820/ui-api/standard_settings: 401 Unauthorized

@epuertat
Copy link
Member Author

Jenkins test dashboard

@epuertat
Copy link
Member Author

jenkins test dashboard

@epuertat
Copy link
Member Author

jenkins test dashboard cephadm

@epuertat epuertat merged commit d26e514 into ceph:main Mar 13, 2023
14 of 19 checks passed
@epuertat epuertat deleted the fix-58942-main branch March 13, 2023 19:01
This was referenced Mar 14, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avanthakkar avanthakkar avanthakkar approved these changes

@pereman2 pereman2 pereman2 approved these changes

@nizamial09 nizamial09 Awaiting requested review from nizamial09

Assignees
No one assigned
Labels
dashboard pybind
Projects
Ceph-Dashboard
Archived in project
Milestone
No milestone
3 participants
@epuertat @avanthakkar @pereman2