Merge "Tighten frontend nginx and haproxy TLS ciphersuites"

deployment/puppet/cluster/manifests/haproxy.pp

@@ -74,7 +74,7 @@ class cluster::haproxy (
     'spread-checks'             => $spread_checks,
     'tune.bufsize'              => $haproxy_bufsize,
     'tune.maxrewrite'           => $haproxy_maxrewrite,
-    'tune.ssl.default-dh-param' => $haproxy_ssl_default_dh_param
+    'tune.ssl.default-dh-param' => $haproxy_ssl_default_dh_param,
   }
 
   $defaults_options = {

deployment/puppet/nailgun/manifests/nginx_nailgun.pp

@@ -20,6 +20,16 @@ class nailgun::nginx_nailgun(
     $plain_http = true
   }
 
+  if $ssl_enabled {
+    $dhparam = '/etc/pki/tls/dhparam.pem'
+
+    exec { 'create new dhparam file':
+      path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
+      command => "openssl dhparam -out ${dhparam} 4096",
+      creates => $dhparam,
+    }
+  }
+
   file { '/etc/nginx/conf.d/nailgun.conf':
     content => template('nailgun/nginx_nailgun.conf.erb'),
     owner   => 'root',

deployment/puppet/nailgun/spec/classes/nginx_nailgun_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe 'nailgun::nginx_nailgun' do
+  context 'when TLS enabled' do
+    let :params do
+    {
+        :staticdir => '/var/www/static/',
+        :logdumpdir => '/var/log/',
+        :ssl_enabled => true,
+    }
+    end
+
+    it 'should create new Diffie-Hellmann parameters file' do
+      should contain_exec('create new dhparam file')
+    end
+  end
+end

deployment/puppet/nailgun/templates/nginx_nailgun.conf.erb

@@ -12,8 +12,14 @@ server {
     listen   8443 ssl;
     ssl_certificate /var/lib/fuel/keys/master/nginx/nginx.crt;
     ssl_certificate_key /var/lib/fuel/keys/master/nginx/nginx.key;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    # NOTE: today we have to use SHA here cause there are no supported
+    # protocols below TLS1.2 which can use SHA256 at least.
+    # TODO(sbog): add !SHA here as soon as all our clients will support TLS1.2
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+    ssl_session_cache shared:SSL:10m;
+    ssl_dhparam /etc/pki/tls/dhparam.pem;
     <%- end -%>
 
     server_name localhost;

deployment/puppet/openstack/manifests/ha/haproxy_service.pp

@@ -112,7 +112,8 @@ define openstack::ha::haproxy_service (
   if $public {
     $public_bind_address = suffix(any2array($public_virtual_ip), ":${listen_port}")
     if $public_ssl {
-      $public_bind = array_to_hash($public_bind_address, ['ssl', 'crt', $public_ssl_path])
+      # TODO(sbog): add !SHA here as soon as all our clients will support TLS1.2
+      $public_bind = array_to_hash($public_bind_address, ['ssl', 'crt', $public_ssl_path, 'no-sslv3', 'no-tls-tickets', 'ciphers AES128+EECDH:AES128+EDH:AES256+EECDH:AES256+EDH'])
     } else {
       $public_bind = array_to_hash($public_bind_address, "")
     }
@@ -122,7 +123,8 @@ define openstack::ha::haproxy_service (
   if $internal {
     $internal_bind_address = suffix(any2array($internal_virtual_ip), ":$listen_port")
     if $internal_ssl {
-      $internal_bind = array_to_hash($internal_bind_address, ['ssl', 'crt', $internal_ssl_path])
+      # TODO(sbog): add !SHA here too as soon as all our clients will support TLS1.2
+      $internal_bind = array_to_hash($internal_bind_address, ['ssl', 'crt', $internal_ssl_path, 'no-sslv3', 'no-tls-tickets', 'ciphers AES128+EECDH:AES128+EDH:AES256+EECDH:AES256+EDH'])
     } else {
       $internal_bind = array_to_hash($internal_bind_address, "")
     }