Force force-tlsv12 only
Secure by default Change-Id: I8e1e26291be2a5d2b3153a853c21965d54eac3e9
This commit is contained in:
parent
0f85a714fd
commit
599727704a
@ -244,7 +244,7 @@ keystone_ssl: false
|
|||||||
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
|
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
|
||||||
keystone_ssl_key: /etc/ssl/private/keystone.key
|
keystone_ssl_key: /etc/ssl/private/keystone.key
|
||||||
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
|
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
|
||||||
keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1 TLSv1.1 TLSv1.2', 'ALL -SSLv2 -SSLv3') }}"
|
keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1.2', 'ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}"
|
||||||
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
||||||
|
|
||||||
# if using a self-signed certificate, set this to true to regenerate it
|
# if using a self-signed certificate, set this to true to regenerate it
|
||||||
|
7
releasenotes/notes/tls12-only-75222cbe8c32ad57.yaml
Normal file
7
releasenotes/notes/tls12-only-75222cbe8c32ad57.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
The default TLS verion has been set to TLS1.2. This only allows
|
||||||
|
version 1.2 of the protocol to be used when terminating or creating TLS
|
||||||
|
connections. You can change the value with the keystone_ssl_protocol
|
||||||
|
variable.
|
Loading…
Reference in New Issue
Block a user