)]}'
{"etc/memcache.conf-sample":[{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"8ce657bbcbbc667f7955b04e77f1c86cfc1648d9","unresolved":true,"context_lines":[{"line_number":61,"context_line":"# the TLS context. It should be a string in the OpenSSL cipher"},{"line_number":62,"context_line":"# list format. If not specified, all OpenSSL enabled ciphers will"},{"line_number":63,"context_line":"# be available."},{"line_number":64,"context_line":"# tls_allowed_ciphers \u003d"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"7be95f58_4a8196a1","line":64,"updated":"2020-12-04 19:33:46.000000000","message":"Is this something that commonly needs to be configured? I\u0027ve not really seen this as a config option outside of TLS terminators; usually clients handle negotiation on their own pretty well...\n\nWith that in mind, it seems weird to be able to specify ciphers but not TLS protocol numbers; if we keep this (though I\u0027m not saying we should), should that be configurable, too?","commit_id":"bfa17897478d81dd2e840897dbb029bc4b4b0cbc"},{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"dd4bc5f3c2eaea820438361996771387cd288f8d","unresolved":true,"context_lines":[{"line_number":61,"context_line":"# the TLS context. It should be a string in the OpenSSL cipher"},{"line_number":62,"context_line":"# list format. If not specified, all OpenSSL enabled ciphers will"},{"line_number":63,"context_line":"# be available."},{"line_number":64,"context_line":"# tls_allowed_ciphers \u003d"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"dea4135d_0a70b148","line":64,"in_reply_to":"07e43363_4bb38c0c","updated":"2020-12-08 19:53:01.000000000","message":"The FIPS-compliance context is good to know, thanks for that. If you haven\u0027t already seen it, you may be interested in https://review.opendev.org/c/openstack/swift/+/751966, too.\n\nAre we trying to make this work when the memcached server is FIPS-compliant (in which case ensuring the server can trim ciphers seems sufficient), when the swift memcache client is FIPS-compliant (in which case it seems like it would be necessary that we be able to trim TLS 1.0 and TLS 1.1 here), or both?\n\nIs it not the sort of thing that can be set system-wide down in /etc/crypto-policies/ somewhere?\n\n---\n\nSide note: the deprecations in the ssl module leave me rather confused. From the ssl.PROTOCOL_TLSv* descriptions I see\n\n\u003e Deprecated since version 3.6: OpenSSL has deprecated all version specific protocols. Use the default protocol PROTOCOL_TLS with flags like OP_NO_SSLv3 instead.\n\nBut then from the ssl.OP_NO_TLSv1_* descriptions I\u0027m just told\n\n\u003e Deprecated since version 3.7: The option is deprecated since OpenSSL 1.1.0.\n\nI guess the best advice is from ssl.OP_NO_TLSv1?\n\n\u003e ... use the new SSLContext.minimum_version and SSLContext.maximum_version instead.\n\n...but then those warn that\n\n\u003e Note: This attribute is not available unless the ssl module is compiled with OpenSSL 1.1.0g or newer.\n\nSo I\u0027m not really clear on what the recommended way *would be* to trim TLS versions, particularly if I want it to work on a variety of distros which cover a range of openssl versions 😕","commit_id":"bfa17897478d81dd2e840897dbb029bc4b4b0cbc"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"761d6b189c558a41d861ce5715e84a83e4c3cd08","unresolved":true,"context_lines":[{"line_number":61,"context_line":"# the TLS context. It should be a string in the OpenSSL cipher"},{"line_number":62,"context_line":"# list format. If not specified, all OpenSSL enabled ciphers will"},{"line_number":63,"context_line":"# be available."},{"line_number":64,"context_line":"# tls_allowed_ciphers \u003d"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"a31122ee_f4b43fdc","line":64,"in_reply_to":"7be95f58_4a8196a1","updated":"2020-12-07 11:13:35.000000000","message":"I believe this was added to oslo.cache (which I modeled this on) for FIPS compliance.\n\nI know that all FIPS endpoints should be TLS 1.2 only from 2021, not sure about the clients.\n\nMoises should know the details...","commit_id":"bfa17897478d81dd2e840897dbb029bc4b4b0cbc"},{"author":{"_account_id":27954,"name":"Moisés Guimarães de Medeiros","email":"guimaraes@pm.me","username":"moguimar"},"change_message_id":"730b45a3b819191303d4ef053e5e409e3a7f1683","unresolved":true,"context_lines":[{"line_number":61,"context_line":"# the TLS context. It should be a string in the OpenSSL cipher"},{"line_number":62,"context_line":"# list format. If not specified, all OpenSSL enabled ciphers will"},{"line_number":63,"context_line":"# be available."},{"line_number":64,"context_line":"# tls_allowed_ciphers \u003d"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"07e43363_4bb38c0c","line":64,"in_reply_to":"a31122ee_f4b43fdc","updated":"2020-12-07 11:43:30.000000000","message":"Yeah, cyphers are there in case we need to trim them in the future for FIPS compliance.","commit_id":"bfa17897478d81dd2e840897dbb029bc4b4b0cbc"}],"swift/common/memcached.py":[{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"775e3ea1652505d32350032e8eedb0345c8f06c4","unresolved":true,"context_lines":[{"line_number":141,"context_line":"        sock \u003d socket.socket(family, socket.SOCK_STREAM)"},{"line_number":142,"context_line":"        sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)"},{"line_number":143,"context_line":"        if self._tls_context:"},{"line_number":144,"context_line":"            sock \u003d self._tls_context.wrap_socket(sock)"},{"line_number":145,"context_line":"        with Timeout(self._connect_timeout):"},{"line_number":146,"context_line":"            sock.connect(sockaddr)"},{"line_number":147,"context_line":"        return (sock.makefile(\u0027rwb\u0027), sock)"}],"source_content_type":"text/x-python","patch_set":2,"id":"e54d889c_f7aa2504","line":144,"updated":"2020-12-04 19:55:17.000000000","message":"Looks like this needs a\n\n server_hostname\u003dself.host\n\nOtherwise, I get an error like\n\n ValueError: check_hostname requires server_hostname\n\n...though something else seems fishy; it doesn\u0027t actually seem to be checking hostname properly once I add that! Despite a mismatch, swift can still talk to memcache :-/","commit_id":"bfa17897478d81dd2e840897dbb029bc4b4b0cbc"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"e7d43ff7bbf55bdc9ed6419253e68a9084399fc6","unresolved":false,"context_lines":[{"line_number":141,"context_line":"        sock \u003d socket.socket(family, socket.SOCK_STREAM)"},{"line_number":142,"context_line":"        sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)"},{"line_number":143,"context_line":"        if self._tls_context:"},{"line_number":144,"context_line":"            sock \u003d self._tls_context.wrap_socket(sock)"},{"line_number":145,"context_line":"        with Timeout(self._connect_timeout):"},{"line_number":146,"context_line":"            sock.connect(sockaddr)"},{"line_number":147,"context_line":"        return (sock.makefile(\u0027rwb\u0027), sock)"}],"source_content_type":"text/x-python","patch_set":2,"id":"680b5c6b_2e0775cf","line":144,"in_reply_to":"e54d889c_f7aa2504","updated":"2020-12-07 11:28:54.000000000","message":"I checked with a different hostname on my setup and got an error (as expected):\n\n ssl.CertificateError: hostname \u0027192.168.24.19\u0027 doesn\u0027t match \u0027controller-0.internalapi.ooo.test\u0027\n\nThere might be differences between Python versions on how this behaves, there are some details in https://github.com/urllib3/urllib3/issues/517\nYou can check SNI support with import ssl; print(ssl.HAS_SNI).\n\nThe server, when using SNI could also present different certificates for different hostnames, but afaik memcached is configured with only one cert, so that\u0027s probably not an issue in your case.","commit_id":"bfa17897478d81dd2e840897dbb029bc4b4b0cbc"}],"swift/common/middleware/memcache.py":[{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"8ce657bbcbbc667f7955b04e77f1c86cfc1648d9","unresolved":true,"context_lines":[{"line_number":88,"context_line":"            \u0027pool_timeout\u0027, POOL_TIMEOUT))"},{"line_number":89,"context_line":"        tries \u003d int(memcache_options.get(\u0027tries\u0027, TRY_COUNT))"},{"line_number":90,"context_line":"        io_timeout \u003d float(memcache_options.get(\u0027io_timeout\u0027, IO_TIMEOUT))"},{"line_number":91,"context_line":"        if memcache_options.get(\u0027tls_enabled\u0027):"},{"line_number":92,"context_line":"            tls_cafile \u003d memcache_options.get(\u0027tls_cafile\u0027)"},{"line_number":93,"context_line":"            tls_certfile \u003d memcache_options.get(\u0027tls_certfile\u0027)"},{"line_number":94,"context_line":"            tls_keyfile \u003d memcache_options.get(\u0027tls_keyfile\u0027)"}],"source_content_type":"text/x-python","patch_set":2,"id":"0e2c5e37_22570713","line":91,"updated":"2020-12-04 19:33:46.000000000","message":"Might want to check out config_true_value in swift.common.utils; I think I\u0027d prefer\n\n if config_true_value(memcache_options.get(\u0027tls_enabled\u0027, \u0027false\u0027)):\n     ...\n\nso operators not using TLS could explicitly configure\n\n tls_enabled \u003d no\n\nor the like.","commit_id":"bfa17897478d81dd2e840897dbb029bc4b4b0cbc"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"761d6b189c558a41d861ce5715e84a83e4c3cd08","unresolved":false,"context_lines":[{"line_number":88,"context_line":"            \u0027pool_timeout\u0027, POOL_TIMEOUT))"},{"line_number":89,"context_line":"        tries \u003d int(memcache_options.get(\u0027tries\u0027, TRY_COUNT))"},{"line_number":90,"context_line":"        io_timeout \u003d float(memcache_options.get(\u0027io_timeout\u0027, IO_TIMEOUT))"},{"line_number":91,"context_line":"        if memcache_options.get(\u0027tls_enabled\u0027):"},{"line_number":92,"context_line":"            tls_cafile \u003d memcache_options.get(\u0027tls_cafile\u0027)"},{"line_number":93,"context_line":"            tls_certfile \u003d memcache_options.get(\u0027tls_certfile\u0027)"},{"line_number":94,"context_line":"            tls_keyfile \u003d memcache_options.get(\u0027tls_keyfile\u0027)"}],"source_content_type":"text/x-python","patch_set":2,"id":"3eab917a_5e415d56","line":91,"in_reply_to":"0e2c5e37_22570713","updated":"2020-12-07 11:13:35.000000000","message":"Done","commit_id":"bfa17897478d81dd2e840897dbb029bc4b4b0cbc"}]}