Current Series Release Notes¶

11.5.0-13¶

Auto-generated TLS certificates now support configurable elliptic curves via the new tls_certificate_curve configuration option. Operators can choose between P-256, P-384, and P-521 curves to balance security, performance, and certificate size based on their requirements. This option can also be set via the ipa-tls-certificate-curve kernel parameter.

Added configuration options for TLS protocol version enforcement across all agent connections (both server and client). The new tls_min_version option allows operators to specify the minimum TLS version (1.2 or 1.3) for the agent API server and all outbound HTTPS connections (to Ironic, Inspector, and image servers). The tls_cipher_suites option allows customization of allowed cipher suites for TLS 1.2 connections. Both options can be set via kernel parameters (ipa-tls-min-version and ipa-tls-cipher-suites).

Auto-generated TLS certificates now use the P-384 elliptic curve by default instead of P-256. This change is transparent and backward compatible - all actively maintained TLS implementations support P-384. Certificate sizes increase slightly from ~1 KB to ~1.2 KB, with negligible performance impact. Operators requiring P-256 for specific compatibility reasons can set tls_certificate_curve = p256 in the configuration.

The minimum supported TLS version has been raised from system default (potentially TLS 1.0) to TLS 1.2. Operators using legacy infrastructure that only supports TLS 1.0 or 1.1 will need to upgrade their Ironic conductors, Inspector services, and image servers to support at least TLS 1.2 before deploying this version of ironic-python-agent. All actively maintained versions of OpenStack Ironic support TLS 1.2.

If your environment uses custom or legacy TLS configurations, verify compatibility with TLS 1.2 before upgrading. Test deployments in a staging environment if you have strict TLS requirements. Operators requiring TLS 1.0/1.1 for legacy systems should not upgrade until those systems are modernized, as there is no configuration option to downgrade below TLS 1.2.

The default elliptic curve for auto-generated TLS certificates has been upgraded from P-256 to P-384. This provides enhanced quantum resistance, requiring approximately 3-4x more qubits to break compared to P-256 (~6,080 qubits vs ~2,330 qubits). P-384 offers ~192-bit security strength, equivalent to 7680-bit RSA, while maintaining broad compatibility with all modern TLS implementations.

Auto-generated TLS certificates now use SHA-512 for signing instead of SHA-256. This upgrade provides enhanced quantum resistance with 512-bit security strength against future quantum computing attacks, aligning with NIST recommendations for long-term cryptographic security.

TLS 1.2 is now enforced as the minimum protocol version for all HTTPS connections by default. This applies to the agent API server (inbound connections from Ironic) and all client connections (to Ironic API, Inspector, and image download servers). TLS 1.0 and 1.1 are no longer accepted as they have known security vulnerabilities and are deprecated by RFC 8996. Operators can configure TLS 1.3 as the minimum version using the tls_min_version configuration option for enhanced security.

Default cipher suites for TLS 1.2 connections have been limited to forward-secret AEAD ciphers: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, and ECDHE-RSA-AES128-GCM-SHA256. This removes support for weak ciphers including CBC-mode, RC4, and non-ephemeral key exchange. TLS 1.3 cipher suites are automatically selected by the TLS library and provide superior security.