On 09.07.2020 14:28, ZWARICO, AMY wrote: > Expired certificates: Is it possible to have the hard-coded certs > replaced by the init container for the maintenance releases because that > is the best long term solution? I'm happy to take such patches into oom > > @krzysztof please give your perspective > > Proposal: Certificate management is a “must” criteria for maturity. > > SSL/TLS versioning: please send a list of the SSL/TLS errors and I will > review. Projects should use TLS 1.2 or higher (all standard browsers > support TLS 1.3). Earlier version of TLS and all versions of SSL are broken. > > *From:* onap-tsc@lists.onap.org <onap-tsc@lists.onap.org> *On Behalf Of > *Morgan Richomme via lists.onap.org > *Sent:* Thursday, July 9, 2020 3:12 AM > *To:* onap-rele...@lists.onap.org; onap-...@lists.onap.org; > onap-tsc@lists.onap.org > *Cc:* Paweł Wieczorek <p.wieczor...@samsung.com>; ZWARICO, AMY > <az9...@att.com>; 'Pawel Pawlak' <p.paw...@f5.com>; Krzysztof Opasiak > <k.opas...@samsung.com> > *Subject:* [onap-tsc] [ONAP] [Frankfurt] [Maintenance release] status on > certificates > > Hi > > I know that we are approaching the Frankfurt maintenance release. > > I was wondering what is planned regarding the certificates. > > I shared the certificate view from the nodeport perspective some weeks ago. > > Yesterday we detected that an internal certificate also expired > (aaf-cert-service) so I gave a try on all the ports I found from inside > the cluster (experimental ~ systematic try, I am not sure it is 100% > relevant). > > I attached both reports in the mail. > > What we can see > > on the nodeport report (test executed as end user calling the exposed > https endpoints) nothing new regarding the previous report > > 1) the 2 dgbuilder certificates have expired since almost 1 year. > > @Taka, Dan: shall we keep them as such? > > 2) Refrepo expired 17 days ago > > @Kanagaraj any plan? > > 3) so-vnfm > > @seshu would it be fixed with the next generation of dockers planned for > the maintenance release? > > 4) several projects include too long certificates and the root CA is not > correct > > robot: so it is for the Integration PTL :), this pod is only for testing. > > I do not plan to do anything for the Frankfurt maintenance release. But > a refactoring of this pod is planned for Guilin) > > What about the uui, msb, cli, appc project, which are part of the release? > > on the internal report we have additional info as we are trying all the > ports reported by the kubernetes client on the ONAP namespace > > we do not see the recent expiration because the deployment failed due to > the expiration. There is a patch in gate to fix aaf-cert-service > > esr-server certificate expired more than 2 days ago.. > > without surprise holmes certificates are expired. We do not test them > but the components are still deployed. > > multicloud certificates are also too long > > I got lots of SSL errors, either wrong version number , SSLv3 bad > certificate, I am not an expert so I am not 100% sure of the test > results but I got lots of such errors when I try to retrieve internal > certificates. Seccom has surely a better view on that. > > /Morgan > > BTW: shall the certificate management not be a criteria for maturity? I > guess the answer is yes. It seems that there are still lots of work for > most of the projects in this area. > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu > ce message par erreur, veuillez le signaler > > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > > they should not be distributed, used or copied without authorisation. > > If you have received this email in error, please notify the sender and delete > this message and its attachments. > > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > > Thank you. > > > -- Krzysztof Opasiak Samsung R&D Institute Poland Samsung Electronics -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6753): https://lists.onap.org/g/onap-tsc/message/6753 Mute This Topic: https://lists.onap.org/mt/75393481/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [onap-tsc] [ONAP] [Frankfurt] [Maintenance release] status on certificates
Krzysztof Opasiak via lists.onap.org Mon, 13 Jul 2020 06:08:16 -0700
- [onap-tsc] [ONAP] [Frankfurt] [Mainte... Morgan Richomme via lists.onap.org
- Re: [onap-tsc] [ONAP] [Frankfurt... Amy Zwarico
- Re: [onap-tsc] [ONAP] [Frank... Krzysztof Opasiak via lists.onap.org