Loading...

XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Critical
Fix Version/s: rhos-18.0 FR 2 (Mar 2025)
Affects Version/s: None
Component/s: openstack-octavia
Labels:
- FutureFeature
- Triaged

Epic Name:
Improved TLS cipher and protocol support
Story Points:
0
Blocked:
False
Ready:
False
Parent Link:
RHOSSTRAT-600Tech Preview- Improved TLS cipher and protocol support
Bugzilla Bug:
RHBZ: 1813551
Dev Approval:
Proposed
Docs Approval:
Proposed
Feature Link:
RHOSSTRAT-600 - Tech Preview- Improved TLS cipher and protocol support
Fixed in Build:
openstack-octavia-8.0.1-0.20210813161814.f16f72c.el8ost
PM Approval:
Proposed
QE Approval:
Proposed
Release Note Text:

Hide
.Improved TLS cipher and protocol support (Technology Preview)

This update introduces a Technology Preview of improved Load-balancing service (octavia) support for TLS cipher and protocol. You can now override the default cipher list with values that are more appropriate for your site, as well as use additional new features such as setting cipher and protocol lists for each listener.

Show
.Improved TLS cipher and protocol support (Technology Preview) This update introduces a Technology Preview of improved Load-balancing service (octavia) support for TLS cipher and protocol. You can now override the default cipher list with values that are more appropriate for your site, as well as use additional new features such as setting cipher and protocol lists for each listener.
Release Note Type:
Technology Preview
Release Note Status:
Done
Errata Link:
https://errata.engineering.redhat.com/advisory/146727

Target Version:

rhos-18.0.0

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Today the default HAProxy configuration in the Amphora provider driver does not override the default cipher list. Operators and users may want to disable weak cipher suites, for example. Operators have the ability to override that list but that is not ideal since they have to provide a custom HAProxy template file where other options other than just cipher suites need to be also set.

Add an ability to set default SSL ciphers in the Octavia configuration
Add an ability to set cipher list for each listener
Add the ability to set a cipher "blacklist" in the Octavia config that has disallowed ciphers
Add the ability to set pool ciphers used when connecting to member servers
Add an ability to set default SSL protocols in the Octavia configuration
Add an ability to set protocol list for each listener
Add the ability to set a protocol "blacklist" in the Octavia config that has disallowed ciphers
Add the ability to set pool protocols used when connecting to member servers

https://storyboard.openstack.org/#!/story/2006627
https://storyboard.openstack.org/#!/story/2006733
https://review.opendev.org/#/q/%22Story:+2006627%22

clones

OSPRH-1377 GA - Improved TLS cipher and protocol support

Refinement

links to

RHBA-2025:146727 Release of containers for RHOSO OpenStack Podified operator

Assignee:: Gregory Thiemonge

Reporter:: RH Bugzilla Integration

Team:: rhos-dfg-networking-squad-vans

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/03/13 1:52 PM

Updated:: 2025/03/20 8:18 AM

Resolved:: 2025/03/13 1:52 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty