RSTUF-CR-25-107: SSL Not Enabled for Broker

[kairoaraujo]

What do you want to share with us?

SSL/TLS is not enabled for connections to the broker service. Depending on the setup, attack-
ers could intercept connections to the broker and add malicious messages into the stream.
Since the network between the broker and the agents connecting to it should be firewalled and
not accessible to third parties this is considered an informational issue. Nevertheless, using SSL
in these setups would increase security in depth.

References

Security Audit Report

Code of Conduct

• I agree to follow this project's Code of Conduct

[srinjoydutta03]

Hi Kairo, I would like to work on this issue.

I had few inquiries:

• The current docs do not have environment variables set for broker ssl keyfile, broker ssl certfile and broker ssl ca certs, which are required for broker to enable ssl, should them be set as environment variables or container secrets?
• I found a similar issue people faced to enable ssl for redis backend (Unable to create SSL broker/backend connection to redis celery/celery#5371 (comment)), it seems to solve the issue by including another parameter in the Celery app configuration redis_backend_use_ssl, which will use the same dictionary as the broker_use_ssl parameter.
• Also, I think we need to mention the fact that if anyone uses SSL with redis the url should contain rediss:// prefix instead of redis://

I think following these changes and inclusions we can enable SSL for broker. Could you suggest on the changes or if am missing something to complete the implementation?

[kairoaraujo]

Hi Kairo, I would like to work on this issue.

Hi @srinjoydutta03, it is a nice issue. I can assign it to you.
Note, that is not a critical issue, as the redis or rabbitmq is used in the backend, but it is a nice to have!

• The current docs do not have environment variables set for broker ssl keyfile, broker ssl certfile and broker ssl ca certs, which are required for broker to enable ssl, should them be set as environment variables or container secrets?

I think using container secrets is best practice, also as we use helm charts for RSTUF https://repository-service-tuf.github.io/helm-charts | https://github.com/repository-service-tuf/helm-charts

• I found a similar issue people faced to enable ssl for redis backend (Unable to create SSL broker/backend connection to redis celery/celery#5371 (comment)), it seems to solve the issue by including another parameter in the Celery app configuration redis_backend_use_ssl, which will use the same dictionary as the broker_use_ssl parameter.
  👍

We will need to set all this settings to the RSTUF_ document it, on Docker_README.md and also set it on helm-charts properly

• Also, I think we need to mention the fact that if anyone uses SSL with redis the url should contain rediss:// prefix instead of redis://

We need abstract it as much as possible in the config and doc 😁

I think following these changes and inclusions we can enable SSL for broker. Could you suggest on the changes or if am missing something to complete the implementation?

So far, I see you covered it very well. Thank you!

[srinjoydutta03]

Thank you for the suggestions. I will try to implement these and raise a PR.

[srinjoydutta03]

Hi, @kairoaraujo. I have made the changes, please review them whenever you can. Once, we reach the final implementation, I will update the docs as well.