Expired certificates: Is it possible to have the hard-coded certs replaced by the init container for the maintenance releases because that is the best long term solution? @krzysztof please give your perspective Proposal: Certificate management is a "must" criteria for maturity.
SSL/TLS versioning: please send a list of the SSL/TLS errors and I will review. Projects should use TLS 1.2 or higher (all standard browsers support TLS 1.3). Earlier version of TLS and all versions of SSL are broken. From: onap-tsc@lists.onap.org <onap-tsc@lists.onap.org> On Behalf Of Morgan Richomme via lists.onap.org Sent: Thursday, July 9, 2020 3:12 AM To: onap-rele...@lists.onap.org; onap-...@lists.onap.org; onap-tsc@lists.onap.org Cc: Paweł Wieczorek <p.wieczor...@samsung.com>; ZWARICO, AMY <az9...@att.com>; 'Pawel Pawlak' <p.paw...@f5.com>; Krzysztof Opasiak <k.opas...@samsung.com> Subject: [onap-tsc] [ONAP] [Frankfurt] [Maintenance release] status on certificates Hi I know that we are approaching the Frankfurt maintenance release. I was wondering what is planned regarding the certificates. I shared the certificate view from the nodeport perspective some weeks ago. Yesterday we detected that an internal certificate also expired (aaf-cert-service) so I gave a try on all the ports I found from inside the cluster (experimental ~ systematic try, I am not sure it is 100% relevant). I attached both reports in the mail. What we can see on the nodeport report (test executed as end user calling the exposed https endpoints) nothing new regarding the previous report 1) the 2 dgbuilder certificates have expired since almost 1 year. @Taka, Dan: shall we keep them as such? 2) Refrepo expired 17 days ago @Kanagaraj any plan? 3) so-vnfm @seshu would it be fixed with the next generation of dockers planned for the maintenance release? 4) several projects include too long certificates and the root CA is not correct robot: so it is for the Integration PTL :), this pod is only for testing. I do not plan to do anything for the Frankfurt maintenance release. But a refactoring of this pod is planned for Guilin) What about the uui, msb, cli, appc project, which are part of the release? on the internal report we have additional info as we are trying all the ports reported by the kubernetes client on the ONAP namespace we do not see the recent expiration because the deployment failed due to the expiration. There is a patch in gate to fix aaf-cert-service esr-server certificate expired more than 2 days ago.. without surprise holmes certificates are expired. We do not test them but the components are still deployed. multicloud certificates are also too long I got lots of SSL errors, either wrong version number , SSLv3 bad certificate, I am not an expert so I am not 100% sure of the test results but I got lots of such errors when I try to retrieve internal certificates. Seccom has surely a better view on that. /Morgan BTW: shall the certificate management not be a criteria for maturity? I guess the answer is yes. It seems that there are still lots of work for most of the projects in this area. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6734): https://lists.onap.org/g/onap-tsc/message/6734 Mute This Topic: https://lists.onap.org/mt/75393481/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
