openstack
diff --git a/‎doc/source/install/index.rst‎
Lines changed: 67 additions & 0 deletions b/‎doc/source/install/index.rst‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎ironic_python_agent/api/app.py‎
Lines changed: 62 additions & 5 deletions b/‎ironic_python_agent/api/app.py‎
Lines changed: 62 additions & 5 deletions
diff --git a/‎ironic_python_agent/config.py‎
Lines changed: 20 additions & 0 deletions b/‎ironic_python_agent/config.py‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎ironic_python_agent/extensions/standby.py‎
Lines changed: 5 additions & 4 deletions b/‎ironic_python_agent/extensions/standby.py‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎ironic_python_agent/inspector.py‎
Lines changed: 4 additions & 3 deletions b/‎ironic_python_agent/inspector.py‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎ironic_python_agent/ironic_api_client.py‎
Lines changed: 3 additions & 9 deletions b/‎ironic_python_agent/ironic_api_client.py‎
Lines changed: 3 additions & 9 deletions
diff --git a/‎ironic_python_agent/partition_utils.py‎
Lines changed: 3 additions & 3 deletions b/‎ironic_python_agent/partition_utils.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎ironic_python_agent/tests/unit/extensions/test_image.py‎
Lines changed: 2 additions & 2 deletions b/‎ironic_python_agent/tests/unit/extensions/test_image.py‎
Lines changed: 2 additions & 2 deletions
@@ -92,6 +92,67 @@ keyfile
 Currently a single set of cafile/certfile/keyfile options is used for all
 HTTP requests to the other services.
 
+TLS Protocol Version Enforcement
+---------------------------------
+
+IPA enforces minimum TLS protocol versions for all connections (both client
+and server) to protect against downgrade attacks and known vulnerabilities
+in older TLS versions. By default, TLS 1.2 is the minimum supported version,
+which removes support for the deprecated and insecure TLS 1.0 and TLS 1.1
+protocols (as per RFC 8996).
+
+Available options in the ``[DEFAULT]`` config file section are:
+
+tls_min_version
+  Minimum TLS protocol version for both the agent API server (inbound
+  connections from Ironic) and all client connections (to Ironic API,
+  Inspector, and image servers). Supported values are ``1.2`` and ``1.3``.
+  Default is ``1.2`` for broad compatibility.
+  When not specified explicitly, defaults to the value of
+  ``ipa-tls-min-version`` kernel command line argument.
+
+  Setting this to ``1.3`` provides enhanced security and performance but
+  requires all services (Ironic conductor, Inspector, image servers) to
+  support TLS 1.3.
+
+  Example to enforce TLS 1.3 only:
+
+  .. code-block:: ini
+
+    [DEFAULT]
+    tls_min_version = 1.3
+
+  Or via kernel parameter::
+
+    ipa-tls-min-version=1.3
+
+tls_cipher_suites
+  Colon-separated list of TLS cipher suites to allow for TLS 1.2
+  connections. If not specified, uses secure defaults that provide forward
+  secrecy:
+  ``ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256``.
+  TLS 1.3 cipher suites are automatically selected by the TLS library and
+  cannot be configured.
+  When not specified explicitly, defaults to the value of
+  ``ipa-tls-cipher-suites`` kernel command line argument.
+
+  Example to restrict to specific cipher suites:
+
+  .. code-block:: ini
+
+    [DEFAULT]
+    tls_cipher_suites = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
+
+  Or via kernel parameter::
+
+    ipa-tls-cipher-suites=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
+
+.. note::
+   TLS 1.2 is enforced as the minimum version by default. Operators using
+   legacy infrastructure that only supports TLS 1.0 or 1.1 must upgrade
+   their services before deploying this version of ironic-python-agent.
+   All actively maintained versions of OpenStack Ironic support TLS 1.2.
+
 Server Configuration
 --------------------
 
@@ -104,6 +165,12 @@ Automatic TLS
    generated in runtime and sent to ironic on heartbeat.
 
    No special configuration is required on the ironic side.
+
+   .. note::
+      TLS protocol version enforcement (see `TLS Protocol Version Enforcement`_)
+      applies to automatic TLS. By default, only TLS 1.2 and above are
+      accepted for connections from Ironic conductors.
+
 Manual TLS
    If you need to provide your own TLS certificate, you can configure it when
    building an image. Set the following options in the ironic-python-agent
 
@@ -13,6 +13,7 @@
 # limitations under the License.
 
 import json
+import ssl
 import threading
 
 from cheroot.ssl import builtin
@@ -25,9 +26,47 @@
 from ironic_python_agent.api import request_log
 from ironic_python_agent import encoding
 from ironic_python_agent.metrics_lib import metrics_utils
+from ironic_python_agent import utils
 
 
 LOG = log.getLogger(__name__)
+
+
+class TLSEnforcingSSLAdapter(builtin.BuiltinSSLAdapter):
+    """SSL adapter that enforces TLS version requirements.
+
+    This adapter extends cheroot's BuiltinSSLAdapter to support
+    pre-configured SSL contexts with custom TLS version enforcement.
+    """
+
+    def __init__(self, certificate, private_key, ssl_context=None,
+                 certificate_chain=None):
+        """Initialize the adapter with optional SSL context.
+
+        :param certificate: Path to certificate file
+        :param private_key: Path to private key file
+        :param ssl_context: Optional pre-configured SSL context
+        :param certificate_chain: Optional certificate chain file
+        """
+        super().__init__(certificate, private_key,
+                         certificate_chain=certificate_chain)
+        self._custom_context = ssl_context
+
+    def wrap(self, sock):
+        """Wrap socket with SSL using custom context if provided.
+
+        :param sock: The socket to wrap
+        :returns: Tuple of (SSL-wrapped socket, SSL environ dict)
+        """
+        if self._custom_context:
+            s = self._custom_context.wrap_socket(
+                sock, server_side=True,
+                do_handshake_on_connect=True
+            )
+            return s, self.get_environ(s)
+        return super().wrap(sock)
+
+
 _CUSTOM_MEDIA_TYPE = 'application/vnd.openstack.ironic-python-agent.v1+json'
 _DOCS_URL = 'https://docs.openstack.org/ironic-python-agent'
 
@@ -145,20 +184,38 @@ def start(self, tls_cert_file=None, tls_key_file=None):
                              server_name='ironic-python-agent')
 
         if self.tls_cert_file and self.tls_key_file:
-            server.ssl_adapter = builtin.BuiltinSSLAdapter(
+            # Create SSL context with TLS version enforcement
+            ssl_context = utils.create_ssl_context('server')
+
+            # Load certificate and key
+            ssl_context.load_cert_chain(
+                certfile=self.tls_cert_file,
+                keyfile=self.tls_key_file
+            )
+
+            # Disable client certificate verification
+            # (agent is server, Ironic is client)
+            ssl_context.check_hostname = False
+            ssl_context.verify_mode = ssl.CERT_NONE
+
+            server.ssl_adapter = TLSEnforcingSSLAdapter(
                 certificate=self.tls_cert_file,
-                private_key=self.tls_key_file
+                private_key=self.tls_key_file,
+                ssl_context=ssl_context
             )
+            LOG.info('Started API service with TLS %s on port %s',
+                     self._conf.tls_min_version,
+                     self.agent.listen_address.port)
+        else:
+            LOG.info('Started API service without TLS on port %s',
+                     self.agent.listen_address.port)
 
         self.server = server
         self.server.prepare()
         self.server_thread = threading.Thread(target=self.server.serve)
         self.server_thread.daemon = True
         self.server_thread.start()
 
-        LOG.info('Started API service on port %s',
-                 self.agent.listen_address.port)
-
     def stop(self):
         """Stop the API service."""
         LOG.debug("Stopping the API service.")
 
@@ -92,6 +92,26 @@
                help='Clock skew (in seconds) allowed in the generated TLS '
                     'certificate.'),
 
+    cfg.StrOpt('tls_min_version',
+               default=APARAMS.get('ipa-tls-min-version', '1.2'),
+               choices=['1.2', '1.3'],
+               help='Minimum TLS protocol version for both server (agent API) '
+                    'and client (outbound) connections. TLS 1.2 provides '
+                    'broad compatibility with older services, while TLS 1.3 '
+                    'offers enhanced security and performance. Can be '
+                    'supplied as "ipa-tls-min-version" kernel parameter.'),
+
+    cfg.StrOpt('tls_cipher_suites',
+               default=APARAMS.get('ipa-tls-cipher-suites', None),
+               help='Colon-separated list of TLS cipher suites to allow for '
+                    'TLS 1.2 connections. If not specified, uses secure '
+                    'defaults (ECDHE-ECDSA-AES256-GCM-SHA384:'
+                    'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-'
+                    'SHA384:ECDHE-RSA-AES128-GCM-SHA256). TLS 1.3 cipher '
+                    'suites are automatically selected by the TLS library. '
+                    'Can be supplied as "ipa-tls-cipher-suites" kernel '
+                    'parameter.'),
+
     cfg.StrOpt('advertise_host',
                default=APARAMS.get('ipa-advertise-host', None),
                help='The host to tell Ironic to reply and send '
 
@@ -185,13 +185,10 @@ def _download_with_proxy(image_info, url, image_id):
     if no_proxy:
         os.environ['no_proxy'] = no_proxy
     proxies = image_info.get('proxies', {})
-    verify, cert = utils.get_ssl_client_options(CONF)
     resp = None
     image_download_attributes = {
         "stream": True,
         "proxies": proxies,
-        "verify": verify,
-        "cert": cert,
         "timeout": CONF.image_download_connection_timeout
     }
     # NOTE(Adam) `image_info` is prioritized over `oslo.conf` for credential
@@ -203,6 +200,10 @@ def _download_with_proxy(image_info, url, image_id):
         auth_object = _gen_auth_from_oslo_conf_user_pass(image_id)
     if auth_object is not None:
         image_download_attributes['auth'] = auth_object
+
+    # Create TLS-enforcing session for image downloads
+    session = utils.get_requests_session()
+
     for attempt in range(CONF.image_download_connection_retries + 1):
         try:
             # NOTE(TheJulia) The get request below does the following:
@@ -219,7 +220,7 @@ def _download_with_proxy(image_info, url, image_id):
             # failure is more so once we've started the download and we are
             # processing the incoming data.
             # B113 issue is covered is the image_download_attributs list
-            resp = requests.get(url, **image_download_attributes)  # nosec
+            resp = session.get(url, **image_download_attributes)  # nosec
             if resp.status_code != 200:
                 msg = ('Received status code {} from {}, expected 200. '
                        'Response body: {} Response headers: {}').format(
 
@@ -141,7 +141,6 @@ def call_inspector(data, failures):
 
     encoder = encoding.RESTJSONEncoder()
     data = encoder.encode(data)
-    verify, cert = utils.get_ssl_client_options(CONF)
 
     headers = {
         'Content-Type': 'application/json',
@@ -152,6 +151,9 @@ def call_inspector(data, failures):
 
     urls = _get_urls()
 
+    # Create TLS-enforcing session
+    session = utils.get_requests_session()
+
     @tenacity.retry(
         retry=tenacity.retry_if_exception_type(
             (requests.exceptions.ConnectionError,
@@ -164,9 +166,8 @@ def _post_to_inspector():
         for url in urls:
             LOG.info('Posting collected data to %s', url)
             try:
-                inspector_resp = requests.post(
+                inspector_resp = session.post(
                     url, data=data, headers=headers,
-                    verify=verify, cert=cert,
                     timeout=CONF.http_request_timeout)
             except requests.exceptions.ConnectionError as exc:
                 if url == urls[-1]:
 
@@ -61,12 +61,9 @@ def __init__(self, api_urls):
 
         # Only keep alive a maximum of 2 connections to the API. More will be
         # opened if they are needed, but they will be closed immediately after
-        # use.
-        adapter = requests.adapters.HTTPAdapter(pool_connections=2,
-                                                pool_maxsize=2)
-        self.session = requests.Session()
-        self.session.mount('https://', adapter)
-        self.session.mount('http://', adapter)
+        # use. Use TLS-enforcing session.
+        self.session = utils.get_requests_session(pool_connections=2,
+                                                  pool_maxsize=2)
 
         self.encoder = encoding.RESTJSONEncoder()
 
@@ -83,16 +80,13 @@ def _request(self, method, path, data=None, headers=None, **kwargs):
         if CONF.global_request_id:
             headers["X-OpenStack-Request-ID"] = CONF.global_request_id
 
-        verify, cert = utils.get_ssl_client_options(CONF)
         for idx, api_url in enumerate(self.api_urls):
             request_url = f'{api_url}{path}'
             try:
                 resp = self.session.request(method,
                                             request_url,
                                             headers=headers,
                                             data=data,
-                                            verify=verify,
-                                            cert=cert,
                                             timeout=CONF.http_request_timeout,
                                             **kwargs)
                 # Make sure the working URL is on the top, so that the next
 
@@ -70,12 +70,12 @@ def get_configdrive(configdrive, node_uuid, tempdir=None):
     # Check if the configdrive option is a HTTP URL or the content directly
     is_url = _is_http_url(configdrive)
     if is_url:
-        verify, cert = utils.get_ssl_client_options(CONF)
         timeout = CONF.image_download_connection_timeout
         # TODO(dtantsur): support proxy parameters from instance_info
+        # Create TLS-enforcing session
+        session = utils.get_requests_session()
         try:
-            resp = requests.get(configdrive, verify=verify, cert=cert,
-                                timeout=timeout)
+            resp = session.get(configdrive, timeout=timeout)
         except requests.exceptions.RequestException as e:
             raise errors.DeploymentError(
                 "Can't download the configdrive content for node %(node)s "
 
@@ -328,7 +328,7 @@ def test__uefi_bootloader_with_entry_removal(
         mock_get_part_path.return_value = self.fake_efi_system_part
         mock_utils_efi_part.return_value = {'number': '1'}
         mock_efi_bl.return_value = ['EFI/BOOT/BOOTX64.EFI']
-        stdout_msg = """
+        stdout_msg = r"""
 BootCurrent: 0001
 Timeout: 0 seconds
 BootOrder: 0000,00001
@@ -390,7 +390,7 @@ def test__uefi_bootloader_with_entry_removal_lenovo(
         # NOTE(TheJulia): This test string was derived from a lenovo SR650
         # which does do some weird things with additional entries.
         # most notably
-        stdout_msg = """
+        stdout_msg = r"""
 BootCurrent: 0000
 Timeout: 1 seconds
 BootOrder: 0000,0003,0002,0001