From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 2BADABF598 for ; Fri, 5 Jan 2024 15:08:12 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 00B5C1C02A for ; Fri, 5 Jan 2024 15:07:41 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 5 Jan 2024 15:07:39 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D5A354518C for ; Fri, 5 Jan 2024 15:07:38 +0100 (CET) From: Max Carrara To: pve-devel@lists.proxmox.com Date: Fri, 5 Jan 2024 15:07:33 +0100 Message-Id: <20240105140733.380258-3-m.carrara@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240105140733.380258-1-m.carrara@proxmox.com> References: <20240105140733.380258-1-m.carrara@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.057 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH v3 ceph 2/2] mgr/dashboard: add patch that removes PyOpenSSL-related usages X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2024 14:08:12 -0000 This patch allows the dashboard to work again with TLS enabled; it however disables the possibility to create self-signed certs via the `ceph` CLI. This means that users will have to supply the correct key/cert pair themselves, which are just a few extra steps instead. [0] Users that try to generate a self-signed cert via the `ceph` CLI are instead provided with instructions on how to generate and configure a key/cert pair themselves. Additionally, the check whether the cert and key match is removed during the dashboard's launch. See the patch for additional details. [0]: https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support Signed-off-by: Max Carrara --- ...move-ability-to-create-and-check-TLS.patch | 101 ++++++++++++++++++ patches/series | 1 + 2 files changed, 102 insertions(+) create mode 100644 patches/0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch diff --git a/patches/0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch b/patches/0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch new file mode 100644 index 000000000..59c5263da --- /dev/null +++ b/patches/0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch @@ -0,0 +1,101 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Max Carrara +Date: Thu, 4 Jan 2024 17:37:50 +0100 +Subject: [PATCH] mgr/dashboard: remove ability to create and check TLS + key/cert pairs + +In order to avoid running into PyO3-related issues [0] with PyOpenSSL, +the ability to create self-signed certs is disabled - the command +`ceph dashboard create-self-signed-cert` is made to always return an +error. + +The command's error message contains the manual steps the user may +follow in order to set the certificate themselves, as well as a link +to the Ceph Dashboard documentation regarding TLS support. [1] + +Furthermore, the check on start-up, that verifies that the configured +key/cert pair actually match, is also removed. This means that users +need to ensure themselves that the correct pair is supplied - +otherwise their browser will complain. + +These changes allow the dashboard to launch with TLS enabled again. + +[0]: https://tracker.ceph.com/issues/63529 +[1]: https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support + +Signed-off-by: Max Carrara +--- + src/pybind/mgr/dashboard/module.py | 41 ++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 14 deletions(-) + +diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py +index 68725be6e35..9db55a3ee93 100644 +--- a/src/pybind/mgr/dashboard/module.py ++++ b/src/pybind/mgr/dashboard/module.py +@@ -23,8 +23,7 @@ if TYPE_CHECKING: + + from mgr_module import CLIReadCommand, CLIWriteCommand, HandleCommandResult, \ + MgrModule, MgrStandbyModule, NotifyType, Option, _get_localized_key +-from mgr_util import ServerConfigException, build_url, \ +- create_self_signed_cert, get_default_addr, verify_tls_files ++from mgr_util import ServerConfigException, build_url, get_default_addr + + from . import mgr + from .controllers import Router, json_error_page +@@ -172,11 +171,14 @@ class CherryPyConfig(object): + else: + pkey_fname = self.get_localized_module_option('key_file') # type: ignore + +- verify_tls_files(cert_fname, pkey_fname) +- + # Create custom SSL context to disable TLS 1.0 and 1.1. + context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) +- context.load_cert_chain(cert_fname, pkey_fname) ++ ++ try: ++ context.load_cert_chain(cert_fname, pkey_fname) ++ except ssl.SSLError: ++ raise ServerConfigException("No certificate configured") ++ + if sys.version_info >= (3, 7): + if Settings.UNSAFE_TLS_v1_2: + context.minimum_version = ssl.TLSVersion.TLSv1_2 +@@ -473,15 +475,26 @@ class Module(MgrModule, CherryPyConfig): + + @CLIWriteCommand("dashboard create-self-signed-cert") + def set_mgr_created_self_signed_cert(self): +- cert, pkey = create_self_signed_cert('IT', 'ceph-dashboard') +- result = HandleCommandResult(*self.set_ssl_certificate(inbuf=cert)) +- if result.retval != 0: +- return result +- +- result = HandleCommandResult(*self.set_ssl_certificate_key(inbuf=pkey)) +- if result.retval != 0: +- return result +- return 0, 'Self-signed certificate created', '' ++ from textwrap import dedent ++ ++ err = """ ++ Creating self-signed certificates is currently not available. ++ However, you can still set a key and certificate pair manually: ++ ++ 1. Generate a private key and self-signed certificate: ++ # openssl req -newkey rsa:2048 -nodes -x509 \\ ++ -keyout /root/dashboard-key.pem -out /root/dashboard-cert.pem -sha512 \\ ++ -days 3650 -subj "/CN=IT/O=ceph-mgr-dashboard" -utf8 ++ ++ 2. Set the corresponding config keys for the key/cert pair: ++ # ceph config-key set mgr/dashboard/key -i /root/dashboard-key.pem ++ # ceph config-key set mgr/dashboard/crt -i /root/dashboard-crt.pem ++ ++ For more information on how to configure TLS for the dashboard, visit: ++ https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support ++ """ ++ ++ return -errno.ENOTSUP, '', dedent(err).strip() + + @CLIWriteCommand("dashboard set-rgw-credentials") + def set_rgw_credentials(self): +-- +2.39.2 + diff --git a/patches/series b/patches/series index 93354a011..924f3dadd 100644 --- a/patches/series +++ b/patches/series @@ -10,3 +10,4 @@ 0010-debian-add-missing-bcrypt-to-manager-.requires.patch 0011-fix-compatibility-with-CPUs-not-supporting-SSE-4.1-i.patch 0012-backport-mgr-dashboard-simplify-authentication-proto.patch +0013-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch -- 2.39.2