Feat(eos_cli_config_gen): Add support for 'cipher v1.0' and 'cipher v…

…1.3' under management_security.ssl_profiles (#4782) Co-authored-by: laxmikantchintakindi <[email protected]> Co-authored-by: Mahesh Kumar <[email protected]> Co-authored-by: Guillaume Mulocher <[email protected]> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
aristanetworks · Dec 12, 2024 · 03a4f11 · 03a4f11
1 parent bf03626
commit 03a4f11
Show file tree

Hide file tree

Showing 17 changed files with 171 additions and 21 deletions.
diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf1.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf1.md
@@ -240,8 +240,8 @@ aaa authorization exec default local
 
 ### Management Security SSL Profiles
 
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Cipher List | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ----------- | ---- |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
 | STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
 
 ### SSL profile STUN-DTLS Certificates Summary

diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf2.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf2.md
@@ -240,8 +240,8 @@ aaa authorization exec default local
 
 ### Management Security SSL Profiles
 
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Cipher List | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ----------- | ---- |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
 | STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
 
 ### SSL profile STUN-DTLS Certificates Summary

diff --git a/...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan1.md b/...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan1.md
@@ -239,8 +239,8 @@ aaa authorization exec default local
 
 ### Management Security SSL Profiles
 
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Cipher List | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ----------- | ---- |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
 | STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
 
 ### SSL profile STUN-DTLS Certificates Summary

diff --git a/...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan2.md b/...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan2.md
@@ -239,8 +239,8 @@ aaa authorization exec default local
 
 ### Management Security SSL Profiles
 
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Cipher List | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ----------- | ---- |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
 | STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
 
 ### SSL profile STUN-DTLS Certificates Summary

diff --git a/...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan1.md b/...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan1.md
@@ -236,8 +236,8 @@ aaa authorization exec default local
 
 ### Management Security SSL Profiles
 
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Cipher List | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ----------- | ---- |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
 | STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
 
 ### SSL profile STUN-DTLS Certificates Summary

diff --git a/...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan2.md b/...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan2.md
@@ -238,8 +238,8 @@ aaa authorization exec default local
 
 ### Management Security SSL Profiles
 
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Cipher List | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ----------- | ---- |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
 | STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
 
 ### SSL profile STUN-DTLS Certificates Summary

diff --git a/...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site3-wan1.md b/...llections/arista/avd/examples/cv-pathfinder/documentation/devices/site3-wan1.md
@@ -238,8 +238,8 @@ aaa authorization exec default local
 
 ### Management Security SSL Profiles
 
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Cipher List | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ----------- | ---- |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
 | STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - |
 
 ### SSL profile STUN-DTLS Certificates Summary

diff --git a/...llections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md b/...llections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md
@@ -1449,8 +1449,8 @@ address locking
 
 ### Management Security SSL Profiles
 
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Cipher List | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ----------- | ---- |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
 | certificate-profile | - | eAPI.crt | eAPI.key | - | ca.crl<br>intermediate.crl |
 | cipher-list-profile | - | - | - | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 | - |
 | SSL_PROFILE | 1.1 1.2 | SSL_CERT | SSL_KEY | - | - |

diff --git a/...llections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md b/...llections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md
@@ -19,6 +19,7 @@
   - [AAA Accounting](#aaa-accounting)
 - [Management Security](#management-security)
   - [Management Security Summary](#management-security-summary)
+  - [Management Security SSL Profiles](#management-security-ssl-profiles)
   - [Management Security Device Configuration](#management-security-device-configuration)
 - [Prompt Device Configuration](#prompt-device-configuration)
 - [DHCP Relay](#dhcp-relay)
@@ -325,12 +326,22 @@ aaa accounting exec default none
 | -------- | ----- |
 | Reversible password encryption | aes-256-gcm |
 
+### Management Security SSL Profiles
+
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
+| cipher-v1.0-v1.3 | - | - | - | v1.0 to v1.2: SHA256:SHA384<br>v1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | - |
+
 ### Management Security Device Configuration
 
 ```eos
 !
 management security
    password encryption reversible aes-256-gcm
+   !
+   ssl profile cipher-v1.0-v1.3
+      cipher v1.0 SHA256:SHA384
+      cipher v1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
 ```
 
 ## Prompt Device Configuration

diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host2.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host2.cfg
@@ -98,6 +98,10 @@ management api gnmi
 !
 management security
    password encryption reversible aes-256-gcm
+   !
+   ssl profile cipher-v1.0-v1.3
+      cipher v1.0 SHA256:SHA384
+      cipher v1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
 !
 radius-server attribute 32 include-in-access-req format myformat
 !

diff --git a/.../arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host2/management-security.yml b/.../arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host2/management-security.yml
@@ -1,5 +1,12 @@
 ---
+# schema_id = eos_cli_config_gen
 ## Management Security
 management_security:
   password:
     encryption_reversible: aes-256-gcm
+  ssl_profiles:
+    # test for ciphers for EOS versions 4.32.0F and later.
+    - name: cipher-v1.0-v1.3
+      ciphers:
+        v1_0: SHA256:SHA384
+        v1_3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
diff --git a/...lections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-security.md b/...lections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-security.md
diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2
@@ -34,15 +34,26 @@
 
 ### Management Security SSL Profiles
 
-| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Cipher List | CRLs |
-| ---------------- | --------------------- | -------------------- | ------------ | ----------- | ---- |
+| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs |
+| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- |
 {%         set ssl_profiles_certs = [] %}
 {%         for ssl_profile in management_security.ssl_profiles | arista.avd.natural_sort %}
 {%             set crls = "-" %}
 {%             if ssl_profile.certificate_revocation_lists is arista.avd.defined %}
 {%                 set crls = ssl_profile.certificate_revocation_lists | arista.avd.natural_sort | join("<br>") %}
 {%             endif %}
-| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ssl_profile.cipher_list | arista.avd.default('-') }} | {{ crls }} |
+{%             if ssl_profile.ciphers is arista.avd.defined %}
+{%                 set ciphers = [] %}
+{%                 if ssl_profile.ciphers.v1_0 is arista.avd.defined %}
+{%                     do ciphers.append("v1.0 to v1.2: " ~ ssl_profile.ciphers.v1_0) %}
+{%                 endif %}
+{%                 if ssl_profile.ciphers.v1_3 is arista.avd.defined %}
+{%                     do ciphers.append("v1.3: " ~ ssl_profile.ciphers.v1_3) %}
+{%                 endif %}
+{%             elif ssl_profile.cipher_list is arista.avd.defined %}
+{%                 set ciphers = [ssl_profile.cipher_list] %}
+{%             endif %}
+| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ciphers | arista.avd.default(['-']) | join('<br>') }} | {{ crls }} |
 {%             set tmp_cert = {} %}
 {%             if ssl_profile.trust_certificate is arista.avd.defined %}
 {%                 set tmp_cert = {'trust_certificate': ssl_profile.trust_certificate} %}

diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2
@@ -90,9 +90,14 @@ management security
 {%         if ssl_profile.tls_versions is arista.avd.defined %}
       tls versions {{ ssl_profile.tls_versions }}
 {%         endif %}
-{%         if ssl_profile.cipher_list is arista.avd.defined %}
+{%         if ssl_profile.ciphers.v1_0 is arista.avd.defined %}
+      cipher v1.0 {{ ssl_profile.ciphers.v1_0 }}
+{%         elif ssl_profile.cipher_list is arista.avd.defined %}
       cipher-list {{ ssl_profile.cipher_list }}
 {%         endif %}
+{%         if ssl_profile.ciphers.v1_3 is arista.avd.defined %}
+      cipher v1.3 {{ ssl_profile.ciphers.v1_3 }}
+{%         endif %}
 {%         if ssl_profile.trust_certificate is arista.avd.defined %}
 {%             for trust_cert in ssl_profile.trust_certificate.certificates | arista.avd.natural_sort %}
       trust certificate {{ trust_cert }}

diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py b/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml
@@ -115,6 +115,21 @@ keys:
               description: |
                 cipher_list syntax follows the openssl cipher strings format.
                 Colon (:) separated list of allowed ciphers as a string.
+                Not supported on EOS version starting 4.32.0F, use the `ciphers` setting instead.
+            ciphers:
+              type: dict
+              description: This setting is applicable to EOS versions 4.32.0F and later.
+              keys:
+                v1_0:
+                  type: str
+                  description: |
+                    The cipher suites for TLS version 1.0, 1.1 and 1.2.
+                    Colon (:) separated list of allowed ciphers as a string.
+                v1_3:
+                  type: str
+                  description: |
+                    The cipher suites for TLS version 1.3.
+                    Colon (:) separated list of allowed ciphers as a string.
             trust_certificate:
               type: dict
               keys: