Hi all! We did some further investigation on IRC, results inline. On Wed, Jan 25, 2023 at 5:03 PM Jay Faulkner <jay@gr-oss.io> wrote:

Hey all,

Ironic Python Agent uses oslo.service's wsgi module as a wsgi server, with the built in TLS support from sslutils.py. This sslutils.py support only works up to TLS v1.2. It needs some enhancement.

A correction: sslutils only supports *limiting* TLS version to 1.2 or older. You cannot use its configuration to limit the TLS version to 1.3. I just tried built-in TLS in Ironic locally and got 1.3: $ openssl s_client -connect 127.0.0.1:6385 2>&1 | grep TLS New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

It was indicated to me in #openstack-oslo that there's nobody working on this module currently. I know that Ironic can't be the only consumer of this across OpenStack, so this is a call for interested parties and help.

I do agree that we need to solve the question of maintaining oslo.service. We use it very extensively in all parts of Ironic. Dmitry

We have to update this to support modern TLS. It's not an option. I'd rather not do it alone -- who wants to help?

I was tempted to put something up about this at the PTG; but I'm not sure it's significant enough to be worth that discussion so I'm starting here :).

Thanks, Jay Faulkner Ironic PTL

-- Red Hat GmbH <https://www.redhat.com/de/global/dach>, Registered seat: Werner von Siemens Ring 12, D-85630 Grasbrunn, Germany Commercial register: Amtsgericht Muenchen/Munich, HRB 153243,Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross