diff --git a/tsa/howto/tls.mdwn b/tsa/howto/tls.mdwn index 4498fc4dafc009393d2cf4a111e5b4343367bdf8..f94542f8c8381cf8c31b2672a1ebbb2d4683353d 100644 --- a/tsa/howto/tls.mdwn +++ b/tsa/howto/tls.mdwn @@ -130,16 +130,32 @@ Then run Puppet on all affected hosts, for example the static mirrors: ## Disaster recovery +No disaster recovery plan yet (TODO). + # Reference ## Installation -<!-- how to setup the service from scratch --> + +There is no documentation on how to deploy this service from +scratch. To deploy a new cert, see the above section and the +`ssl::service` Puppet resource. ## SLA -<!-- this describes an acceptable level of service for this service --> + +TLS is critical and should be highly available when relevant. It +should fail closed, that is if it fails a security check, it should +not allow a connexion. ## Design +TLS is one of two major transport security protocols used at TPA (the +other being [[ipsec]]). It is used by web servers (Apache, HA Proxy, +Nginx), bacup servers (Bacula), mail servers (Postfix), and possibly +more. + +Certificate generation is done by git hooks for Let's Encrypt or by a +`makefile` and cron job for auto-ca, see below for details. + ### Certificate authorities in use at Tor This documents mostly covers the Let's Encrypt certificates used by @@ -251,36 +267,36 @@ server (currently `cupani`): ## Issues -<!-- such projects are never over. add a pointer to well-known issues --> -<!-- and show how to report problems. usually a link to the bugtracker --> +There is no issue tracker specifically for this project, [File][] or +[search][] for issues in the [generic internal services][search] component. + + [File]: https://trac.torproject.org/projects/tor/newticket?component=Internal+Services%2FTor+Sysadmin+Team + [search]: https://trac.torproject.org/projects/tor/query?status=!closed&component=Internal+Services%2FTor+Sysadmin+Team ## Monitoring and testing -<!-- describe how this service is monitored and how it can be tested --> -<!-- after major changes like IP address changes or upgrades --> +When a HTTPS certificate is configured on a host, it MUST be +(manually) configured in Nagios. This can be done by adding the host +to the `apache-https-host`, `haproxy-https-host`, `nginx-https-hosts`, +depending on the webserver implementation. If the TLS server is +another implementation, a new check SHOULD be written. + +All Let's Encrypt certificates are automatically checked for expiry by +Nagios as well, on top of the above checks. # Discussion ## Overview -<!-- describe the overall project. should include a link to a ticket --> -<!-- that has a launch checklist --> - -## Goals -<!-- include bugs to be fixed --> - -### Must have - -### Nice to have - -### Non-Goals - -## Approvals required -<!-- for example, legal, "vegas", accounting, current maintainer --> - -## Proposed Solution +There are no plans to do major changes to the TLS configuration, +although [review of the cipher suites](https://trac.torproject.org/projects/tor/ticket/32351) is in progress (as of April +2020). We should have mechanisms to do such audits on a more +regular basis, and facilitate changes of those configurations over the +entire infrastructure. -## Cost +<!-- the Goals, Approvals, Proposed solutions and Cost sections have --> +<!-- been removed from the template because we don't have any big --> +<!-- project on the TLS infra at the moment --> ## Alternatives considered