MAAS and SSL Cipher Suite Settings

Hello MAAS folks,

Currently we are using MAAS to help with provisioning our infrastructure, but recently we have became aware that by default MAAS 3.5.2 allows for medium strength cipher suites, which is triggering alerts for our security and compliance teams.

Specifically, it seems that MAAS has support enabled for ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA which seems to be the issue.

Digging around the source code, it seems there’s no way to modify the snap package’s nginx configuration for MAAS as seen at maas/src/maasserver/templates/http/regiond.nginx.conf.template at dbdb317f6a988cfe561432418e642a530e8df825 · canonical/maas · GitHub

I was curious of the following:

  • Besides putting HAProxy/Nginx in front of MAAS, is there any other way we could configure/control this?
  • Are there plans to make the nginx SSL ciphers customizable in the future with the MAAS snap image?

Thank you for your time.

Hey!

There are no plans to make it configurable but from my perspective we are seeing more and more requests like that, so it is something we might consider doing eventually

Hello @r00ta,

Thanks for the response. With that said then, is the current “approved” method for resolving this then going the HAProxy/Nxinx proxy route then I assume?

yes in general that works, actually the scenario with HA proxy is supported (see here) but of course it depends on the configuration that you apply.

Also, please note that even when you enable TLS there are some endpoints that are using HTTP by design

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.