)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"e21c1ad34831a56a3957e774b0db8d41108f01b9","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"f9ad8fe9_dc9f4f0f","updated":"2024-04-10 21:53:58.000000000","message":"BTW what if we deploy without haproxy? ;)","commit_id":"ecd97ea2fd9874db82a67c0dadfeaa8b16b24d9a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"23a56dfd4ee34ce14d1911e1146176b327e45732","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"9442ccc4_af6d5287","updated":"2024-04-10 21:52:17.000000000","message":"Security is good, its good to harden public TLS endpoints in production, but not sure that this is should be set by default and hardcoded. there can be users/clients with some old browsers/software who should be able to communicate with API in their private enviroments or whatever. lets make this configurable and and maybe some \u0027switch\u0027 variable to enable hardening.","commit_id":"ecd97ea2fd9874db82a67c0dadfeaa8b16b24d9a"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"0576ce0c7dd5222367e96a9e85a7db04d1195c82","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"0d506e6e_1cfaa3b6","updated":"2024-04-10 09:55:59.000000000","message":"let\u0027s see if this breaks anything 😎","commit_id":"ecd97ea2fd9874db82a67c0dadfeaa8b16b24d9a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"e0e0f969f2fa7ad280c7357adbd7dd84b7a1b4b7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"830b49f9_00ffb54d","in_reply_to":"6fe34c9c_47985d14","updated":"2024-04-19 14:29:49.000000000","message":"good work. thanks.","commit_id":"ecd97ea2fd9874db82a67c0dadfeaa8b16b24d9a"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"7a0c96b5c48b855ed427620789cf7ae6aad84993","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a2ac9865_fcd8cec4","in_reply_to":"9442ccc4_af6d5287","updated":"2024-04-11 11:34:27.000000000","message":"agreed people with older browser should be able to connect as well!\n\nThat being said, I\u0027m not sure you took a look at the linked mozilla site, from where I took this config, it says which clients can connect with these settings (notice these are \"intermediate\", not \"modern\" settings, which are more secure, but also don\u0027t allow older clients to connect):\n\n Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9 \n \nSo afaik all these browsers, OSes, and Programming Languages are all long end of life.\n\nFirefox 27 was released in February 2014, so 10 years ago:\nhttps://en.wikipedia.org/wiki/Firefox_version_history#Firefox_24_through_30\n \nDon\u0027t you think it\u0027s reasonable?\n\nDoes e.g. Horizon even support Browsers that old (I honestly don\u0027t know)?\n\nI would still be fine with adding a switch to turn this conservative setting off though, if you insist.\n\nBut notice, that I would really really like to be the default to be secure, so people who really \"need\" a less secure environment need to make a conscious decision that they really know what they are doing (usually they really don\u0027t know, but whatever, let people shoot themselves in the foot, if they have been warned, I guess).\n\nregarding the question: what about if haproxy is not deployed?\n\nI don\u0027t care/don\u0027t know. It\u0027s out of scope for this Review I would argue.\n\nThis is meant to bring a better baseline to haproxy prod envs, which I tend to use.\n\nFeel free to adapt it to other environments as well, if you wish so.\n\nThanks for the review!","commit_id":"ecd97ea2fd9874db82a67c0dadfeaa8b16b24d9a"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"30ea4dd29860c1f752d1d268a92857bde45cd98f","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"ad452196_d94092ce","in_reply_to":"a2ac9865_fcd8cec4","updated":"2024-04-15 11:11:22.000000000","message":"Well, users can override the whole file only, so I would add a variable with that default value which they can override.","commit_id":"ecd97ea2fd9874db82a67c0dadfeaa8b16b24d9a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"8fc5d6b0b14e2de381dfe1740c0b94809f42082d","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"c3455b26_3da3bc41","in_reply_to":"ad452196_d94092ce","updated":"2024-04-15 12:11:42.000000000","message":"this was a main idea of my comment ;)","commit_id":"ecd97ea2fd9874db82a67c0dadfeaa8b16b24d9a"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"f2da111c56cb6998c514ef112e1cf32e098b4893","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"6fe34c9c_47985d14","in_reply_to":"c3455b26_3da3bc41","updated":"2024-04-19 14:01:34.000000000","message":"it\u0027s now set by default for new releases and can be easily adjusted by end users, including a reno.\n\nDo you think it\u0027s okay this way?","commit_id":"ecd97ea2fd9874db82a67c0dadfeaa8b16b24d9a"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"30ea4dd29860c1f752d1d268a92857bde45cd98f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"3111116c_3a4ac956","in_reply_to":"f9ad8fe9_dc9f4f0f","updated":"2024-04-15 11:11:22.000000000","message":"As written - not in scope of this review","commit_id":"ecd97ea2fd9874db82a67c0dadfeaa8b16b24d9a"},{"author":{"_account_id":28048,"name":"Will Szumski","email":"will@stackhpc.com","username":"jovial"},"change_message_id":"e36763eb57c8fbe5dc18699701594b8368d22497","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1e1cef5f_b43c7a39","updated":"2024-07-03 13:25:49.000000000","message":"Seems to match the recommendations that were linked to","commit_id":"b71f2ac5c999eb2899ca65c58542810a0e9394a0"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"21c58252a47bd6fb1ff62b3cc3d5757f1090c78c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"a88a550b_7a1dc7bb","updated":"2024-06-06 08:13:28.000000000","message":"would be nice to get RP+1 on this, as this will most likely become mandatory in our downstream product via the scs standard and I would like to avoid carrying downstream patches for this.","commit_id":"b71f2ac5c999eb2899ca65c58542810a0e9394a0"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"11bb3de32071de4f4ee730f6ae355f06bb2a4163","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"d27ee6ff_e658ab1e","updated":"2024-07-16 16:46:24.000000000","message":"indeed","commit_id":"063b3dc52a6be84fa03b03510bb24bc868b0d106"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"2fc08c121904f597aae87968a66dc1d7553e3a0e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"96aa91e4_cb17254f","updated":"2024-08-27 15:12:00.000000000","message":"Should we update doc/source/reference/high-availability\n/haproxy-guide.rst?","commit_id":"3d4d81a8b0c08e2b222085c4be6655638bdb74b0"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"b1cfa4943330550ee345b2726eccea952d74a7bc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"37b04dc3_c6bb7b85","in_reply_to":"96aa91e4_cb17254f","updated":"2024-08-27 16:02:06.000000000","message":"already prepared some docs, thanks for the hint, will upload soon(TM).","commit_id":"3d4d81a8b0c08e2b222085c4be6655638bdb74b0"}],"ansible/group_vars/all.yml":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"76bd748d2930d47a7cf489304930edc490738a30","unresolved":true,"context_lines":[{"line_number":409,"context_line":"haproxy_monitor_port: \"61313\""},{"line_number":410,"context_line":"haproxy_ssh_port: \"2985\""},{"line_number":411,"context_line":"# use old TLS settings for haproxy config:"},{"line_number":412,"context_line":"haproxy_use_legacy_ssl_settings: false"},{"line_number":413,"context_line":""},{"line_number":414,"context_line":"heat_internal_fqdn: \"{{ kolla_internal_fqdn }}\""},{"line_number":415,"context_line":"heat_external_fqdn: \"{{ kolla_external_fqdn }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"a847d76a_4039830f","line":412,"updated":"2024-07-03 13:22:57.000000000","message":"Not needed in group_vars/all - it\u0027s already in loadbalancer role defaults?","commit_id":"b71f2ac5c999eb2899ca65c58542810a0e9394a0"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"18489b85fd70e92a196caccc6dce18c5dba4b70a","unresolved":false,"context_lines":[{"line_number":409,"context_line":"haproxy_monitor_port: \"61313\""},{"line_number":410,"context_line":"haproxy_ssh_port: \"2985\""},{"line_number":411,"context_line":"# use old TLS settings for haproxy config:"},{"line_number":412,"context_line":"haproxy_use_legacy_ssl_settings: false"},{"line_number":413,"context_line":""},{"line_number":414,"context_line":"heat_internal_fqdn: \"{{ kolla_internal_fqdn }}\""},{"line_number":415,"context_line":"heat_external_fqdn: \"{{ kolla_external_fqdn }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"33298468_565f584e","line":412,"in_reply_to":"a847d76a_4039830f","updated":"2024-07-10 07:51:20.000000000","message":"Done","commit_id":"b71f2ac5c999eb2899ca65c58542810a0e9394a0"}],"ansible/roles/loadbalancer/templates/haproxy/haproxy_main.cfg.j2":[{"author":{"_account_id":25238,"name":"Magnus Lööf","email":"magnus.loof@basalt.se","username":"magnusloof"},"change_message_id":"b6b6c45479fab58e9d5a82ae22f1865a2edcf8f6","unresolved":true,"context_lines":[{"line_number":13,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660{% if haproxy_socket_level_admin | bool %} level admin{% endif %}"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":16,"context_line":"    {% if haproxy_use_legacy_ssl_settings | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"},{"line_number":19,"context_line":"    {% else %}"}],"source_content_type":"text/x-jinja2","patch_set":4,"id":"2e65336d_b03f97b3","line":16,"updated":"2024-08-26 13:26:54.000000000","message":"Parameterize these settings in `all.yml` and also patch the HAProxy configuration files in Glance and Neutron","commit_id":"a30e2efc014cb9e52613e06bf0a1562f6a95f550"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"7c8b875fe2e473c99ba15b269915559170baa5c7","unresolved":true,"context_lines":[{"line_number":13,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660{% if haproxy_socket_level_admin | bool %} level admin{% endif %}"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":16,"context_line":"    {% if haproxy_use_legacy_ssl_settings | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"},{"line_number":19,"context_line":"    {% else %}"}],"source_content_type":"text/x-jinja2","patch_set":4,"id":"d92e360a_628548f7","line":16,"in_reply_to":"2e65336d_b03f97b3","updated":"2024-08-27 10:57:09.000000000","message":"Ack. will tweak glance and neutron now.","commit_id":"a30e2efc014cb9e52613e06bf0a1562f6a95f550"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"e62d21c25ae4da9c58fe3691d917e8e6c70c7778","unresolved":false,"context_lines":[{"line_number":13,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660{% if haproxy_socket_level_admin | bool %} level admin{% endif %}"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":16,"context_line":"    {% if haproxy_use_legacy_ssl_settings | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"},{"line_number":19,"context_line":"    {% else %}"}],"source_content_type":"text/x-jinja2","patch_set":4,"id":"f70380c8_e96b4d66","line":16,"in_reply_to":"d92e360a_628548f7","updated":"2024-08-27 11:18:42.000000000","message":"Done","commit_id":"a30e2efc014cb9e52613e06bf0a1562f6a95f550"}],"doc/source/reference/high-availability/haproxy-guide.rst":[{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"31d971063e2d451422b45d3995e4463c645e0bda","unresolved":true,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":".. code-block:: yaml"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"   kolla_enable_tls_internal: \"yes\""},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"The same applies to external API endpoints:"},{"line_number":107,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"da8c250b_51b6da2d","line":104,"updated":"2024-08-28 13:31:57.000000000","message":"I think it is better to link this section to tls.rst instead of providing partial information how to set up TLS.","commit_id":"4a0c9d8bbf58ee2a74cf81553b6c8bbaf7f31105"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"1169775fea3e9b7fa045258b3ecee0137c3fa0bf","unresolved":false,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":".. code-block:: yaml"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"   kolla_enable_tls_internal: \"yes\""},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"The same applies to external API endpoints:"},{"line_number":107,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"cbbae5e1_07832ba1","line":104,"in_reply_to":"a658a74e_e1b7178c","updated":"2024-08-29 08:07:21.000000000","message":"Done","commit_id":"4a0c9d8bbf58ee2a74cf81553b6c8bbaf7f31105"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"eeb12184d1eb2df31ea77d041da1215aef32e60c","unresolved":true,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":".. code-block:: yaml"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"   kolla_enable_tls_internal: \"yes\""},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"The same applies to external API endpoints:"},{"line_number":107,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"a658a74e_e1b7178c","line":104,"in_reply_to":"da8c250b_51b6da2d","updated":"2024-08-29 07:11:20.000000000","message":"makes sense, will move the docs to the TLS guide then.","commit_id":"4a0c9d8bbf58ee2a74cf81553b6c8bbaf7f31105"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"63887fbc83fea7a864092cec80dde0e19e31793d","unresolved":false,"context_lines":[{"line_number":96,"context_line":"SSL/TLS Settings"},{"line_number":97,"context_line":"----------------"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"For SSL/TLS related settings refer to the :ref:`haproxy-tls-settings` section."}],"source_content_type":"text/x-rst","patch_set":13,"id":"b44fc012_a68786ac","line":99,"range":{"start_line":99,"start_character":0,"end_line":99,"end_character":2},"updated":"2024-08-30 13:01:20.000000000","message":"I verified that the link works as expected on the built docs preview site:\nhttps://0e2f5f1095b6f5d7850e-d3cfdbb649a7cfa2224aa6fbbdaeb477.ssl.cf1.rackcdn.com/915403/12/check/openstack-tox-docs/178465a/docs/","commit_id":"b13fa5a92cb6d768c5839bd11667e2ca72a7cd2f"}],"releasenotes/notes/harden_haproxy_tls_config-6a70503d8a124b2a.yaml":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"ee46afc9ae6909c237604e740cc8e2eeea3eccd2","unresolved":true,"context_lines":[{"line_number":16,"context_line":"    See `LP#2060787 \u003chttps://bugs.launchpad.net/kolla-ansible/+bug/2060787\u003e`__"},{"line_number":17,"context_line":"upgrade:"},{"line_number":18,"context_line":"  - |"},{"line_number":19,"context_line":"    If you have old clients that do not support the new TLS settings,"},{"line_number":20,"context_line":"    you can revert back to the old behaviour by setting the following"},{"line_number":21,"context_line":"    variable in your globals.yml:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"51d4a574_81728b8e","line":19,"updated":"2024-07-16 16:58:17.000000000","message":"Is that really a thing? How old clients would that be?","commit_id":"063b3dc52a6be84fa03b03510bb24bc868b0d106"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"6c8add39888fdfdcab9e1346b52f118809b82159","unresolved":true,"context_lines":[{"line_number":16,"context_line":"    See `LP#2060787 \u003chttps://bugs.launchpad.net/kolla-ansible/+bug/2060787\u003e`__"},{"line_number":17,"context_line":"upgrade:"},{"line_number":18,"context_line":"  - |"},{"line_number":19,"context_line":"    If you have old clients that do not support the new TLS settings,"},{"line_number":20,"context_line":"    you can revert back to the old behaviour by setting the following"},{"line_number":21,"context_line":"    variable in your globals.yml:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"9b75eb75_71568f2e","line":19,"in_reply_to":"18396f09_163f72d6","updated":"2024-08-22 07:16:51.000000000","message":"ack, I even wrote a blog post about this in the distant past 😄 will update today.","commit_id":"063b3dc52a6be84fa03b03510bb24bc868b0d106"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"536b399df45d0402c82bb275d118695d8b15a6f3","unresolved":false,"context_lines":[{"line_number":16,"context_line":"    See `LP#2060787 \u003chttps://bugs.launchpad.net/kolla-ansible/+bug/2060787\u003e`__"},{"line_number":17,"context_line":"upgrade:"},{"line_number":18,"context_line":"  - |"},{"line_number":19,"context_line":"    If you have old clients that do not support the new TLS settings,"},{"line_number":20,"context_line":"    you can revert back to the old behaviour by setting the following"},{"line_number":21,"context_line":"    variable in your globals.yml:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"37e93d0a_96b81b86","line":19,"in_reply_to":"2204bdaf_8f8dd093","updated":"2024-08-26 08:32:14.000000000","message":"Done","commit_id":"063b3dc52a6be84fa03b03510bb24bc868b0d106"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"dc02dac18e994fe7d2e25b866f73607862603bf2","unresolved":true,"context_lines":[{"line_number":16,"context_line":"    See `LP#2060787 \u003chttps://bugs.launchpad.net/kolla-ansible/+bug/2060787\u003e`__"},{"line_number":17,"context_line":"upgrade:"},{"line_number":18,"context_line":"  - |"},{"line_number":19,"context_line":"    If you have old clients that do not support the new TLS settings,"},{"line_number":20,"context_line":"    you can revert back to the old behaviour by setting the following"},{"line_number":21,"context_line":"    variable in your globals.yml:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"2204bdaf_8f8dd093","line":19,"in_reply_to":"42de32e4_91436285","updated":"2024-08-22 07:49:57.000000000","message":"you\u0027re right, old settings also disallowed tls 1.0 and 1.1. Still new settings are very broad, and I don\u0027t think we should support those CBC week ciphers, some of them with also disproven SHA1 hash algorithm.","commit_id":"063b3dc52a6be84fa03b03510bb24bc868b0d106"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"74e078e8e3c6c6ec032475c28f75a3b024705e1f","unresolved":true,"context_lines":[{"line_number":16,"context_line":"    See `LP#2060787 \u003chttps://bugs.launchpad.net/kolla-ansible/+bug/2060787\u003e`__"},{"line_number":17,"context_line":"upgrade:"},{"line_number":18,"context_line":"  - |"},{"line_number":19,"context_line":"    If you have old clients that do not support the new TLS settings,"},{"line_number":20,"context_line":"    you can revert back to the old behaviour by setting the following"},{"line_number":21,"context_line":"    variable in your globals.yml:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"9ec125e0_dca377ae","line":19,"in_reply_to":"51d4a574_81728b8e","updated":"2024-07-18 08:22:42.000000000","message":"Well I wondered the same, but other contributors ( @maksim.malchuk@gmail.com ) wanted me to make it optional for older clients (check the comments).\n\nThe linked mozilla site[1] is really cool and also has the list of browsers/clients these \"new\" settings support:\n\n\u003e Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9 \n \n So the used \"intermediate\" level really still supports some ancient clients. None of those are not EOL afaik. So from my point of view I would be fine with not supporting older clients than that, but ymmv.\n \n For reference, the \"modern\" level of cipher security would still support these clients:\n\n\u003e Supports Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57, and Safari 12.1 \n\nDoes that answer your question?\n\nHTH\n\n[1]:https://ssl-config.mozilla.org/#server\u003dhaproxy\u0026version\u003d2.1\u0026config\u003dintermediate\u0026openssl\u003d1.1.1k\u0026guideline\u003d5.7","commit_id":"063b3dc52a6be84fa03b03510bb24bc868b0d106"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"b7c137f1933ae4f886a1881a2fdc8031beeb5e2c","unresolved":true,"context_lines":[{"line_number":16,"context_line":"    See `LP#2060787 \u003chttps://bugs.launchpad.net/kolla-ansible/+bug/2060787\u003e`__"},{"line_number":17,"context_line":"upgrade:"},{"line_number":18,"context_line":"  - |"},{"line_number":19,"context_line":"    If you have old clients that do not support the new TLS settings,"},{"line_number":20,"context_line":"    you can revert back to the old behaviour by setting the following"},{"line_number":21,"context_line":"    variable in your globals.yml:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"42de32e4_91436285","line":19,"in_reply_to":"9b75eb75_71568f2e","updated":"2024-08-22 07:20:40.000000000","message":"wait a second.. there is `no-tlsv11` and `no-tlsv10` already in there? did you check that this still allows tls 1.1. or 1.0?","commit_id":"063b3dc52a6be84fa03b03510bb24bc868b0d106"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"0950ef5aac169d18c5ba3b7a0200d257f5aa03dd","unresolved":true,"context_lines":[{"line_number":16,"context_line":"    See `LP#2060787 \u003chttps://bugs.launchpad.net/kolla-ansible/+bug/2060787\u003e`__"},{"line_number":17,"context_line":"upgrade:"},{"line_number":18,"context_line":"  - |"},{"line_number":19,"context_line":"    If you have old clients that do not support the new TLS settings,"},{"line_number":20,"context_line":"    you can revert back to the old behaviour by setting the following"},{"line_number":21,"context_line":"    variable in your globals.yml:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"e45464e0_4e6a7dbf","line":19,"in_reply_to":"9ec125e0_dca377ae","updated":"2024-08-22 05:57:54.000000000","message":"Firefox 27 is from 2014, are we really sure we should be even allowing people to use that? ;-)","commit_id":"063b3dc52a6be84fa03b03510bb24bc868b0d106"},{"author":{"_account_id":23084,"name":"Bartosz Bezak","email":"bartosz@stackhpc.com","username":"b.bezak"},"change_message_id":"f2b531b5bd38ed327cc9b10567764339d31ad036","unresolved":true,"context_lines":[{"line_number":16,"context_line":"    See `LP#2060787 \u003chttps://bugs.launchpad.net/kolla-ansible/+bug/2060787\u003e`__"},{"line_number":17,"context_line":"upgrade:"},{"line_number":18,"context_line":"  - |"},{"line_number":19,"context_line":"    If you have old clients that do not support the new TLS settings,"},{"line_number":20,"context_line":"    you can revert back to the old behaviour by setting the following"},{"line_number":21,"context_line":"    variable in your globals.yml:"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"18396f09_163f72d6","line":19,"in_reply_to":"e45464e0_4e6a7dbf","updated":"2024-08-22 07:13:45.000000000","message":"IMHO - we shouldn\u0027t allow legacy settings, TLS 1.0, 1.1 shouldn\u0027t be used - https://datatracker.ietf.org/doc/html/rfc8996#name-do-not-use-tls-11","commit_id":"063b3dc52a6be84fa03b03510bb24bc868b0d106"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"1307a9143c8bbf1272f454df98b05ad3657b573b","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    harden haproxy TLS configuration"},{"line_number":5,"context_line":"    harden the TLS default config according to the mozilla"},{"line_number":6,"context_line":"    ``intermediate`` recommendation:"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"    `\u003chttps://ssl-config.mozilla.org/#server\u003dhaproxy\u0026version\u003d2.1\u0026config\u003dintermediate\u0026openssl\u003d1.1.1k\u0026guideline\u003d5.7\u003e`__"},{"line_number":9,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":12,"id":"55aa3c65_2574bc4f","line":6,"range":{"start_line":4,"start_character":4,"end_line":6,"end_character":36},"updated":"2024-08-29 08:24:47.000000000","message":"nit: the paragraph should start with capital letter, and these two lines can be shortened to one.","commit_id":"0a4153b66d6e3719c0531e8bde065adb2246f24c"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"accbe33470b96d1bbf475e7a2c96ba176d27722b","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    harden haproxy TLS configuration"},{"line_number":5,"context_line":"    harden the TLS default config according to the mozilla"},{"line_number":6,"context_line":"    ``intermediate`` recommendation:"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"    `\u003chttps://ssl-config.mozilla.org/#server\u003dhaproxy\u0026version\u003d2.1\u0026config\u003dintermediate\u0026openssl\u003d1.1.1k\u0026guideline\u003d5.7\u003e`__"},{"line_number":9,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":12,"id":"30db5ffc_68b42d90","line":6,"range":{"start_line":4,"start_character":4,"end_line":6,"end_character":36},"in_reply_to":"55aa3c65_2574bc4f","updated":"2024-08-30 12:55:59.000000000","message":"Done\n\nalso fixed that this was still talking about `intermediate` instead of `modern`.","commit_id":"0a4153b66d6e3719c0531e8bde065adb2246f24c"}]}
