Open Stack

Hi all!

We did some further investigation on IRC, results inline.

On Wed, Jan 25, 2023 at 5:03 PM Jay Faulkner <jay at gr-oss.io> wrote:

> Hey all,
>
> Ironic Python Agent uses oslo.service's wsgi module as a wsgi server, with
> the built in TLS support from sslutils.py. This sslutils.py support only
> works up to TLS v1.2. It needs some enhancement.
>

A correction: sslutils only supports *limiting* TLS version to 1.2 or
older. You cannot use its configuration to limit the TLS version to 1.3.

I just tried built-in TLS in Ironic locally and got 1.3:

$ openssl s_client -connect 127.0.0.1:6385 2>&1 | grep TLS
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384


>
> It was indicated to me in #openstack-oslo that there's nobody working on
> this module currently. I know that Ironic can't be the only consumer of
> this across OpenStack, so this is a call for interested parties and help.
>

I do agree that we need to solve the question of maintaining oslo.service.
We use it very extensively in all parts of Ironic.

Dmitry


>
> We have to update this to support modern TLS. It's not an option. I'd
> rather not do it alone -- who wants to help?
>
> I was tempted to put something up about this at the PTG; but I'm not sure
> it's significant enough to be worth that discussion so I'm starting here :).
>
>
> Thanks,
> Jay Faulkner
> Ironic PTL
>


-- 

Red Hat GmbH <https://www.redhat.com/de/global/dach>, Registered seat:
Werner von Siemens Ring 12, D-85630 Grasbrunn, Germany
Commercial register: Amtsgericht Muenchen/Munich, HRB 153243,Managing
Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230125/fec69765/attachment.htm>