openstack/openstack-ansible
Code Issues Proposed changes

Force force-tlsv12 only

Browse Source 
Secure by default

Change-Id: I507a25114481ff0c6b229eeea980785a45dad460
This commit is contained in:
Matthew Thode 2018-12-17 09:57:03 -06:00
parent 7b27f7ba30
commit 05d9f6a032
No known key found for this signature in database
GPG Key ID: 64A37BEAAE19A4E8
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
inventory/group_vars/all/ssl.yml
View File

@ -16,6 +16,6 @@
## SSL
# These do not need to be configured unless you're creating certificates for
# services running behind Apache (currently, Horizon and Keystone).
ssl_protocol: "ALL -SSLv2 -SSLv3"
ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1"
# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"

6
releasenotes/notes/tls12-only-08825fd013f0a244.yaml Normal file
View File

@ -0,0 +1,6 @@
---
security:
- |
The default TLS version has been set to TLS1.2. This only allows
version 1.2 of the protocol to be used when terminating or creating TLS
connections. You can change the value with the ssl_protocol variable.