On Wed, Jan 25, 2023 at 5:03 PM Jay Faulkner <
jay@gr-oss.io> wrote:
Hey all,
Ironic Python Agent uses oslo.service's wsgi module as a wsgi server, with the built in TLS support from sslutils.py. This sslutils.py support only works up to TLS v1.2. It needs some enhancement.
A correction: sslutils only supports *limiting* TLS version to 1.2 or older. You cannot use its configuration to limit the TLS version to 1.3.
I just tried built-in TLS in Ironic locally and got 1.3:
$ openssl s_client -connect
127.0.0.1:6385 2>&1 | grep TLS
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
It was indicated to me in #openstack-oslo that there's nobody working on this module currently. I know that Ironic can't be the only consumer of this across OpenStack, so this is a call for interested parties and help.
I do agree that we need to solve the question of maintaining oslo.service. We use it very extensively in all parts of Ironic.
Dmitry
We have to update this to support modern TLS. It's not an option. I'd rather not do it alone -- who wants to help?
I was tempted to put something up about this at the PTG; but I'm not sure it's significant enough to be worth that discussion so I'm starting here :).
Thanks,
Jay Faulkner
Ironic PTL
Red Hat GmbH, Registered seat: Werner von Siemens Ring 12, D-85630 Grasbrunn, Germany
Commercial register: Amtsgericht Muenchen/Munich, HRB 153243,
Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross