Skip to content

Commit

Permalink
Add Secure Connections Standard (#548)
Browse files Browse the repository at this point in the history 
* Add first part of the secure connections standard

Signed-off-by: Markus Hentsch <[email protected]>

* Add notes about the classifications

Signed-off-by: Markus Hentsch <[email protected]>

* Add considered options and open questions

Signed-off-by: Markus Hentsch <[email protected]>

* Fix linter problems

Signed-off-by: Markus Hentsch <[email protected]>

* Add TLS standardization

Signed-off-by: Markus Hentsch <[email protected]>

* Add database and message queue channel security, extend TLS cipher rules

Signed-off-by: Markus Hentsch <[email protected]>

* Add remaining decision sections

Signed-off-by: Markus Hentsch <[email protected]>

* Add testing script for secure connection standard (WIP)

Signed-off-by: Markus Hentsch <[email protected]>

* Turn avoiding CBC mode into a recommendation.

https://crypto.stackexchange.com/a/95660

Signed-off-by: Markus Hentsch <[email protected]>

* Refactor the TLS test script to use SSLyze
and implement all tests based on the current standard draft

Signed-off-by: Markus Hentsch <[email protected]>

* Add testing README and reference

Signed-off-by: Markus Hentsch <[email protected]>

* Address review feedback

Signed-off-by: Markus Hentsch <[email protected]>

* Fix typo in test script comment

Signed-off-by: Markus Hentsch <[email protected]>

* Add glossary and rephrase "SCS" to "SCS project"

Signed-off-by: Markus Hentsch <[email protected]>

* Rename standard filename due to conflicting counter

Signed-off-by: Markus Hentsch <[email protected]>

* Refine the scope in regards to the communication channels

Signed-off-by: Markus Hentsch <[email protected]>

* s/IPsec/WireGuard/

Signed-off-by: Markus Hentsch <[email protected]>

* Fix option references for oslo.messaging ssl

Signed-off-by: Markus Hentsch <[email protected]>

* Add RFC link for TLS deprecation

Signed-off-by: Markus Hentsch <[email protected]>

* Don't endorse internal CAs specifically

Signed-off-by: Markus Hentsch <[email protected]>

* Refactor test script to check Mozilla TLS recommendations

Signed-off-by: Markus Hentsch <[email protected]>

* Update standard to reference Mozilla's TLS recommendations

Signed-off-by: Markus Hentsch <[email protected]>

* Migrate test script requirements to requirements.in

Signed-off-by: Markus Hentsch <[email protected]>

* Add libvirt security choices to design considerations

Signed-off-by: Markus Hentsch <[email protected]>

* Add open question about libvirt hardening

Signed-off-by: Markus Hentsch <[email protected]>

* Relax the requirement for the libvirt port

Signed-off-by: Markus Hentsch <[email protected]>

* Rephrase and clarify libvirt security recommendations and questions

Signed-off-by: Markus Hentsch <[email protected]>

* Add Mozilla TLS JSON override option to test script

Signed-off-by: Markus Hentsch <[email protected]>

* Fully parameterize Mozilla TLS config in test script

Signed-off-by: Markus Hentsch <[email protected]>

* Rename cli args in test script

Signed-off-by: Markus Hentsch <[email protected]>

* Add Mozilla TLS JSON copy and staging YAML entry

Signed-off-by: Markus Hentsch <[email protected]>

* Add remark about internal audits

Signed-off-by: Markus Hentsch <[email protected]>

* Remove specific MQ SSL config examples, refer to docs

Signed-off-by: Markus Hentsch <[email protected]>

* Align header naming with latest standards template

Signed-off-by: Markus Hentsch <[email protected]>

* Add storage channels

Signed-off-by: Markus Hentsch <[email protected]>

* Assign document number 0122

Signed-off-by: Markus Hentsch <[email protected]>

* Update scs-compatible-test.yaml

Signed-off-by: Markus Hentsch <[email protected]>

* Remove bare URLs

Signed-off-by: Anja Strunk <[email protected]>

* Remove tailing whitespaces

Signed-off-by: Anja Strunk <[email protected]>

* Fix markdown linter

Signed-off-by: Anja Strunk <[email protected]>

* remove bare URLs

Signed-off-by: Anja Strunk <[email protected]>

* Fix markdown lint errors

Signed-off-by: Anja Strunk <[email protected]>

* Fix markdown lint errors

Signed-off-by: Anja Strunk <[email protected]>

* Fix markdown lint errors

Signed-off-by: Anja Strunk <[email protected]>

* Fix markdown lint errors

Signed-off-by: Anja Strunk <[email protected]>

* Fix markdown lint errors

Signed-off-by: Anja Strunk <[email protected]>

* Change verison number of secure connection standard as it conflicts with node to node encryption DR

Signed-off-by: Anja Strunk <[email protected]>

* Add new linke char at the end of file to fix MD047

Signed-off-by: Anja Strunk <[email protected]>

* Replace absolute dead links with relative links

Signed-off-by: Anja Strunk <[email protected]>

* Fix dead links

Signed-off-by: Anja Strunk <[email protected]>

* Use absolute path as relative pathes are not allowed

Signed-off-by: Anja Strunk <[email protected]>

---------

Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Anja Strunk <[email protected]>
Co-authored-by: Dominik Pataky <[email protected]>
Co-authored-by: anjastrunk <[email protected]>
Co-authored-by: Anja Strunk <[email protected]>
  • Loading branch information
@markus-hentsch @bitkeks @anjastrunk
4 people authored Nov 25, 2024
1 parent ebfaa1a commit c3dd463
Show file tree
Hide file tree
Showing 9 changed files with 914 additions and 3 deletions.
277 changes: 277 additions & 0 deletions Standards/scs-0125-v1-secure-connections.md
View file

Large diffs are not rendered by default.

1 change: 0 additions & 1 deletion Standards/scs-0214-v1-k8s-node-distribution.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,4 +84,3 @@ If the standard is used by a provider, the following decisions are binding and v
[k8s-ha]: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/
[k8s-large-clusters]: https://kubernetes.io/docs/setup/best-practices/cluster-large/
[scs-0213-v1]: https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0213-v1-k8s-nodes-anti-affinity.md
[k8s-labels-docs]: https://kubernetes.io/docs/reference/labels-annotations-taints/#topologykubernetesiozone
61 changes: 61 additions & 0 deletions Tests/iaas/secure-connections/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Secure Connections Standard Test Suite

## Test Environment Setup

> **NOTE:** The test execution procedure does not require cloud admin rights.
A valid cloud configuration for the OpenStack SDK in the shape of "`clouds.yaml`" is mandatory[^1].
**This file is expected to be located in the current working directory where the test script is executed unless configured otherwise.**

[^1]: [OpenStack Documentation: Configuring OpenStack SDK Applications](https://docs.openstack.org/openstacksdk/latest/user/config/configuration.html)

The test execution environment can be located on any system outside of the cloud infrastructure that has OpenStack API access.
Make sure that the API access is configured properly in "`clouds.yaml`".

It is recommended to use a Python virtual environment[^2].
Next, install the libraries required by the test suite:

```bash
pip3 install openstacksdk sslyze
```

> Note: the version of the sslyze library determines the [version of the Mozilla TLS recommendation JSON](https://wiki.mozilla.org/Security/Server_Side_TLS#JSON_version_of_the_recommendations) that it checks against.
Within this environment execute the test suite.

[^2]: [Python 3 Documentation: Virtual Environments and Packages](https://docs.python.org/3/tutorial/venv.html)

## Test Execution

The test suite is executed as follows:

```bash
python3 tls-checker.py --os-cloud mycloud
```

As an alternative to "`--os-cloud`", the "`OS_CLOUD`" environment variable may be specified instead.
The parameter is used to look up the correct cloud configuration in "`clouds.yaml`".
For the example command above, this file should contain a `clouds.mycloud` section like this:

```yaml
---
clouds:
mycloud:
auth:
auth_url: ...
...
...
```

For any further options consult the output of "`python3 tls-checker.py --help`".

### Script Behavior & Test Results

The script will print all actions and passed tests to `stdout`.

If all tests pass, the script will return with an exit code of `0`.

If any test fails, the script will halt, print the exact error to `stderr` and return with a non-zero exit code.

Any tests that indicate a recommendation of the standard is not met, will print a warning message under the corresponding endpoint output.
However, unmet recommendations will not count as errors.
209 changes: 209 additions & 0 deletions Tests/iaas/secure-connections/mozilla-tls-profiles/5.7.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,209 @@
{
"version": 5.7,
"href": "https://ssl-config.mozilla.org/guidelines/5.7.json",
"configurations": {
"modern": {
"certificate_curves": ["prime256v1", "secp384r1"],
"certificate_signatures": ["ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"],
"certificate_types": ["ecdsa"],
"ciphers": {
"caddy": [],
"go": [],
"iana": [],
"openssl": []
},
"ciphersuites": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
],
"dh_param_size": null,
"ecdh_param_size": 256,
"hsts_min_age": 63072000,
"maximum_certificate_lifespan": 90,
"ocsp_staple": true,
"oldest_clients": ["Firefox 63", "Android 10.0", "Chrome 70", "Edge 75", "Java 11", "OpenSSL 1.1.1", "Opera 57", "Safari 12.1"],
"recommended_certificate_lifespan": 90,
"rsa_key_size": null,
"server_preferred_order": false,
"tls_curves": ["X25519", "prime256v1", "secp384r1"],
"tls_versions": ["TLSv1.3"]
},
"intermediate": {
"certificate_curves": ["prime256v1", "secp384r1"],
"certificate_signatures": ["sha256WithRSAEncryption", "ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"],
"certificate_types": ["ecdsa", "rsa"],
"ciphers": {
"caddy": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"go": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
],
"iana": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"openssl": [
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-RSA-AES256-GCM-SHA384",
"DHE-RSA-CHACHA20-POLY1305"
]
},
"ciphersuites": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
],
"dh_param_size": 2048,
"ecdh_param_size": 256,
"hsts_min_age": 63072000,
"maximum_certificate_lifespan": 366,
"ocsp_staple": true,
"oldest_clients": ["Firefox 27", "Android 4.4.2", "Chrome 31", "Edge", "IE 11 on Windows 7", "Java 8u31", "OpenSSL 1.0.1", "Opera 20", "Safari 9"],
"recommended_certificate_lifespan": 90,
"rsa_key_size": 2048,
"server_preferred_order": false,
"tls_curves": ["X25519", "prime256v1", "secp384r1"],
"tls_versions": ["TLSv1.2", "TLSv1.3"]
},
"old": {
"certificate_curves": ["prime256v1", "secp384r1"],
"certificate_signatures": ["sha256WithRSAEncryption"],
"certificate_types": ["rsa"],
"ciphers": {
"caddy": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
],
"go": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
],
"iana": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
],
"openssl": [
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-RSA-AES256-GCM-SHA384",
"DHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA",
"ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA",
"DHE-RSA-AES128-SHA256",
"DHE-RSA-AES256-SHA256",
"AES128-GCM-SHA256",
"AES256-GCM-SHA384",
"AES128-SHA256",
"AES256-SHA256",
"AES128-SHA",
"AES256-SHA",
"DES-CBC3-SHA"
]
},
"ciphersuites": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
],
"dh_param_size": 1024,
"ecdh_param_size": 256,
"hsts_min_age": 63072000,
"maximum_certificate_lifespan": 366,
"ocsp_staple": true,
"oldest_clients": ["Firefox 1", "Android 2.3", "Chrome 1", "Edge 12", "IE8 on Windows XP", "Java 6", "OpenSSL 0.9.8", "Opera 5", "Safari 1"],
"recommended_certificate_lifespan": 90,
"rsa_key_size": 2048,
"server_preferred_order": true,
"tls_curves": ["X25519", "prime256v1", "secp384r1"],
"tls_versions": ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
}
}
}
4 changes: 4 additions & 0 deletions Tests/iaas/secure-connections/mozilla-tls-profiles/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Mozilla TLS Profiles

Files in this folder are used for automated testing.
They are pulled from [Mozilla Wiki: Security/Server Side TLS](https://wiki.mozilla.org/Security/Server_Side_TLS#JSON_version_of_the_recommendations)
Loading

0 comments on commit c3dd463

Please sign in to comment.