Allow TLS ciphers/protocols to be configurable for console proxies

The console proxies (VNC, SPICE, etc) currently don't allow the
allowed TLS ciphers and protocol versions to be configurable.  This
results in the defaults being used from the underlying system,
which may not be secure enough for many deployments.  This patch
allows for the ciphers and minimum SSL/TLS protocol version for
each console proxy to be configured in nova's config.

We utilize websockify underneath our console proxies, which added
support for allowed ciphers and the SSL/TLS version to be
configurable as of version 0.9.0.  This change updates the lower
constraint for this dependency.

Closes-Bug: #1842149
Related-Bug: #1771773
Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5

1 files changed, 11 insertions, 0 deletions

diff --git a/nova/console/websocketproxy.py b/nova/console/websocketproxy.py
index e13b3c0fe1..1b09905160 100644
--- a/nova/console/websocketproxy.py
+++ b/nova/console/websocketproxy.py
@@ -316,6 +316,17 @@ class NovaWebSocketProxy(websockify.WebSocketProxy):
         with the compute node.
         """
         self.security_proxy = kwargs.pop('security_proxy', None)
+
+        # If 'default' was specified as the ssl_minimum_version, we leave
+        # ssl_options unset to default to the underlying system defaults.
+        # We do this to avoid using websockify's behaviour for 'default'
+        # in select_ssl_version(), which hardcodes the versions to be
+        # quite relaxed and prevents us from using sytem crypto policies.
+        ssl_min_version = kwargs.pop('ssl_minimum_version', None)
+        if ssl_min_version and ssl_min_version != 'default':
+            kwargs['ssl_options'] = websockify.websocketproxy. \
+                                    select_ssl_version(ssl_min_version)
+
         super(NovaWebSocketProxy, self).__init__(*args, **kwargs)
 
     @staticmethod