diff --git a/source/pdp/configuration.rst b/source/pdp/configuration.rst index 4859937..6b8a3b9 100644 --- a/source/pdp/configuration.rst +++ b/source/pdp/configuration.rst @@ -98,6 +98,18 @@ SECURITY section - No - false + * + - tlsProtocol + - Which TLS protocol should be used whent HTTPS is enabled. Available values: TLS (default), TLSv1.2, TLSv1.1. + - No + - TLS + + * + - enabledProtocols + - Specifies the TLS protocol versions to be enabled for use on the connection. The standard names that can be passed are, for example: TLSv1.2, TLSv1.1 and TLSv1. + - No + - None + * - requireClientCertAuthentication - Indicates whether the client must use a valid client certificate to authenticate to the PDP @@ -126,6 +138,7 @@ PDP configuration file. trustInfoDir = /etc/grid-security/certificates # HTTPS enabled enableSSL = true + tlsProtocol = TLS Advanced Configuration Options ------------------------------ @@ -195,15 +208,21 @@ POLICY section SECURITY section ~~~~~~~~~~~~~~~~ -+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+ -| Property | Description | Required? | Default Value | -+=======================+===============================================================================================================+===========+==================+ -| trustInfoRefresh | The frequency, in minutes, that the trust material specified by ``trustInfoDir`` will be checked for updates. | N | 60 (1 hour) | -+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+ -| messageValidityPeriod | The number of seconds, from the time a message is issued, until it is considered expired. | N | 300s (5 minutes) | -+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+ -| clockSkew | The allowance, in seconds, used when computing validity periods. | N | 30s | -+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+ ++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+ +| Property | Description | Required? | Default Value | ++=======================+===================================================================================================================================================================================+===========+==================+ +| trustInfoRefresh | The frequency, in minutes, that the trust material specified by ``trustInfoDir`` will be checked for updates. | N | 60 (1 hour) | ++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+ +| messageValidityPeriod | The number of seconds, from the time a message is issued, until it is considered expired. | N | 300s (5 minutes) | ++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+ +| clockSkew | The allowance, in seconds, used when computing validity periods. | N | 30s | ++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+ +| enableSSL | Enable HTTPS on the service port (SSL/TLS). The ``serviceCertificate``, ``servicePrivateKey``, and ``trustInfoDir`` properties must also be defined in order to use this setting. | N | false | ++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+ +| tlsProtocol | Which TLS protocol should be used whent HTTPS is enabled. Available values: TLS (default), TLSv1.2, TLSv1.1. | N | TLS | ++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+ +| enabledProtocols | Specifies the TLS protocol versions to be enabled for use on the connection. The standard names that can be passed are, for example: TLSv1.2, TLSv1.1 and TLSv1 | N | None | ++-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+ .. _argus-pdp-conf-env-file: diff --git a/source/pep/pepd_configuration.rst b/source/pep/pepd_configuration.rst index b2e72ca..70bf4ee 100644 --- a/source/pep/pepd_configuration.rst +++ b/source/pep/pepd_configuration.rst @@ -109,6 +109,10 @@ SECURITY section +-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+ | ``enableSSL`` | Enable HTTPS on the service port (SSL/TLS). The ``serviceCertificate``, ``servicePrivateKey``, and ``trustInfoDir`` properties must also be defined in order to use this setting. | N | false | +-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+ +| ``tlsProtocol`` | Which TLS protocol should be used whent HTTPS is enabled. Available values: TLS (default), TLSv1.2, TLSv1.1. | N | TLS | ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+ +| ``enabledProtocols`` | Specifies the TLS protocol versions to be enabled for use on the connection. The standard names that can be passed are, for example: TLSv1.2, TLSv1.1 and TLSv1 | N | None | ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+ | ``requireClientCertAuthentication`` | The client must have a valid X.509 client certificate to authenticate to the PEP Server | N | true | +-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+ @@ -150,6 +154,7 @@ matches the name section configuring the PIP. Also note that the serviceCertificate = /etc/grid-security/hostcert.pem trustInfoDir = /etc/grid-security/certificates enableSSL = true + tlsProtocol = TLS requireClientCertAuthentication = true [REQVALIDATOR_PIP] diff --git a/source/release_notes.rst b/source/release_notes.rst index 50e3a6b..0f7d163 100644 --- a/source/release_notes.rst +++ b/source/release_notes.rst @@ -8,7 +8,7 @@ Latest release: .. toctree:: :maxdepth: 1 - release_notes/v_1_7_2 + release_notes/v_1_7_3 Older releases: @@ -16,6 +16,7 @@ Older releases: .. toctree:: :maxdepth: 1 + release_notes/v_1_7_2 release_notes/v_1_7_1 release_notes/v_1_7_0 diff --git a/source/release_notes/v_1_7_3.rst b/source/release_notes/v_1_7_3.rst new file mode 100644 index 0000000..6936f4b --- /dev/null +++ b/source/release_notes/v_1_7_3.rst @@ -0,0 +1,44 @@ +.. _v1_7_3: + +Argus 1.7.3 (02-03-2020) +======================== + +The Argus 1.7.3 release allows TLS protocol version to be configured on pdp and pep server components. + +Updated components +~~~~~~~~~~~~~~~~~~ + +This release provides the following updated components: + +- Argus PEP service version 1.7.4 +- Argus PDP service version 1.7.1 + +Packages +~~~~~~~~ + +Packages for this release can be obtained from the Argus product team package repository: + +https://repo.cloud.cnaf.infn.it/service/rest/repository/browse/argus-rpm-stable/ + +Upgrade procedure +----------------- + +To install Argus 1.7.3: + +#. Update the packages. +#. Restart the Argus PEP and PDP services. + +Main fixes +~~~~~~~~~~ + +`argus-pep-server-1.7.4`_ +`argus-pdp-1.7.1`_ +------------------ + +- TLS protocol version should be configurable [`pep-25`_]. +- TLS protocol version should be configurable [`pdp-6`_]. + +.. _pep-25: https://github.com/argus-authz/argus-pep-server/issues/25 +.. _pdp-6: https://github.com/argus-authz/argus-pdp/issues/6 +.. _argus-pep-server-1.7.4: https://github.com/argus-authz/argus-pep-server/milestone/3 +.. _argus-pdp-1.7.1: https://github.com/argus-authz/argus-pdp/milestone/1