Adjust default configuration to support TLS v1.3

This adds a new variable to manage TLS v1.3 cipher suites.

The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: If857ec3e2e3728f6bea9740ff43dcb2df45429d2
This commit is contained in:
Andrew Bonney 2022-01-10 08:59:26 +00:00
parent 2efea71159
commit dfa253d72c
4 changed files with 19 additions and 4 deletions

View File

@ -237,8 +237,11 @@ keystone_ssl: false
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
keystone_ssl_key: /etc/ssl/private/keystone.key
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
keystone_ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1"
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
# TLS v1.2 and below
keystone_ssl_cipher_suite_tls12: "{{ keystone_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS')) }}"
# TLS v1.3
keystone_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
# if using a self-signed certificate, set this to true to regenerate it
keystone_ssl_self_signed_regen: false

View File

@ -0,0 +1,6 @@
---
deprecations:
- |
The variable 'keystone_ssl_cipher_suite' is deprecated in favour of
'keystone_ssl_cipher_suite_tls12' which will continue to manage
configuration of ciphers for TLS v1.2 and earlier.

View File

@ -31,7 +31,12 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
SSLCompression Off
SSLProtocol {{ keystone_ssl_protocol }}
SSLHonorCipherOrder On
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
{% if keystone_ssl_cipher_suite_tls12 != "" -%}
SSLCipherSuite {{ keystone_ssl_cipher_suite_tls12 }}
{% endif -%}
{% if keystone_ssl_cipher_suite_tls13 != "" -%}
SSLCipherSuite TLSv1.3 {{ keystone_ssl_cipher_suite_tls13 }}
{% endif -%}
SSLOptions +StdEnvVars +ExportCertData
{% endif -%}
{% if keystone_sp_apache_mod_auth_openidc -%}

View File

@ -55,5 +55,6 @@ haproxy_default_services:
haproxy_backend_options:
- "httpchk HEAD /"
ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
ssl_cipher_suite_tls12: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
ssl_cipher_suite_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
haproxy_ssl: false