Page MenuHomePhabricator

Revert OpenSSL min version configuration introduced for bacula compatibility
Closed, ResolvedPublic

Description

Right now, the only jessie hosts left that have backups (according to cumin P:backup::host 'cat /etc/debian_version' are:

conf[2001-2003].codfw.wmnet

I would like to revert it back to safer defaults, but I am unsure how to do it properly. Just reverting:

doesn't seem like a good idea. So, a few questions:

  • Do we need to maintain an openssl conf, different from the package provided one?
  • Should we revert already and just put an exception on conf2* hosts (not sure when those will be upgraded)?
  • Do we remove the file? (but then, what is the safe procedure to revert to the package version one?)

Event Timeline

jcrespo triaged this task as Medium priority.EditedJan 28 2021, 12:46 PM

I have asked on ^this ticket about potential schedule, if they answer we can decide to go for exception or wait for upgrade.

I didn't get any answer here or on the other ticket, so this is my plan now:

  • Add a conditional so the above code only affects jessie host (conf2*)
  • For all other hosts
    • (that have backups enabled), update openssl.conf to one identical to the one shipped by the package
    • Remove the code updating it after some days

*When conf2* are upgraded, remove the exception completely

As I believe this will be the safest way to approach that to avoid breakages (even on wmcs or weird usages)

I'm silly, I was totally convinced that the revert applied to clients. It does not, only to storage hosts, which is easier to revert. That also means T271573 is a real blocker.

Change 660856 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] jessie: Revert openssl conf on director/storage to package defaults

https://gerrit.wikimedia.org/r/660856

Change 660857 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] jessie: Remove old openssl override after revert to package version

https://gerrit.wikimedia.org/r/660857

Change 664314 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] bacula: Revert TLS 1.0 downgrade on storage servers (including director)

https://gerrit.wikimedia.org/r/664314

Change 660857 abandoned by Jcrespo:
[operations/puppet@production] jessie: Remove old openssl override after revert to package version

Reason:
Abandoned in favour of more recent https://gerrit.wikimedia.org/r/c/operations/puppet/ /664314

https://gerrit.wikimedia.org/r/660857

Change 664314 merged by Jcrespo:

[operations/puppet@production] bacula: Revert TLS 1.0 downgrade on storage servers (including director)

https://gerrit.wikimedia.org/r/664314

Doing on backup1001|1002|2001|2002:

run-puppet-agent
rm /etc/ssl/openssl.cnf
apt install --reinstall -o Dpkg::Options::="--force-confask,confnew,confmiss" openssl

( puppet doesn't touch the file, so no need for run-puppet-agent)

I will then do a full restart when bacula has no running processes to make sure there are no ongoing connections left using TLS 1.0.

Mentioned in SAL (#wikimedia-operations) [2021-04-29T07:48:39Z] <jynus> rolling restart of bacula hosts T273182

This has been successfully reverted and a backup each has been run from both stretch and buster hosts. This is now finally resolved!