08bdcdb5b6
The console proxies (VNC, SPICE, etc) currently don't allow the allowed TLS ciphers and protocol versions to be configurable. This results in the defaults being used from the underlying system, which may not be secure enough for many deployments. This patch allows for the ciphers and minimum SSL/TLS protocol version for each console proxy to be configured in nova's config. We utilize websockify underneath our console proxies, which added support for allowed ciphers and the SSL/TLS version to be configurable as of version 0.9.0. This change updates the lower constraint for this dependency. Closes-Bug: #1842149 Related-Bug: #1771773 Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5
18 lines
853 B
YAML
18 lines
853 B
YAML
---
|
|
other:
|
|
- |
|
|
A new pair of ``ssl_ciphers`` and ``ssl_minimum_version`` configuration
|
|
options have been introduced for use by the ``nova-novncproxy``,
|
|
``nova-serialproxy``, and ``nova-spicehtml5proxy`` services. These new
|
|
options allow one to configure the allowed TLS ciphers and minimum protocol
|
|
version to enforce for incoming client connections to the proxy services.
|
|
|
|
This aims to address the issues reported in `bug 1842149`_, where it
|
|
describes that the proxy services can inherit insecure TLS ciphers
|
|
and protocol versions from the compiled-in defaults of the OpenSSL
|
|
library on the underlying system. The proxy services provided no way
|
|
to override such insecure defaults with current day generally accepted
|
|
secure TLS settings.
|
|
|
|
.. _bug 1842149: https://bugs.launchpad.net/nova/+bug/1842149
|