From 05d9f6a03245a4176371621503cadf609efe0d39 Mon Sep 17 00:00:00 2001 From: Matthew Thode Date: Mon, 17 Dec 2018 09:57:03 -0600 Subject: [PATCH] Force force-tlsv12 only Secure by default Change-Id: I507a25114481ff0c6b229eeea980785a45dad460 --- inventory/group_vars/all/ssl.yml | 2 +- releasenotes/notes/tls12-only-08825fd013f0a244.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/tls12-only-08825fd013f0a244.yaml diff --git a/inventory/group_vars/all/ssl.yml b/inventory/group_vars/all/ssl.yml index 9ff527b12f..f214ce76e9 100644 --- a/inventory/group_vars/all/ssl.yml +++ b/inventory/group_vars/all/ssl.yml @@ -16,6 +16,6 @@ ## SSL # These do not need to be configured unless you're creating certificates for # services running behind Apache (currently, Horizon and Keystone). -ssl_protocol: "ALL -SSLv2 -SSLv3" +ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1" # Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS" diff --git a/releasenotes/notes/tls12-only-08825fd013f0a244.yaml b/releasenotes/notes/tls12-only-08825fd013f0a244.yaml new file mode 100644 index 0000000000..170b8a7d76 --- /dev/null +++ b/releasenotes/notes/tls12-only-08825fd013f0a244.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + The default TLS version has been set to TLS1.2. This only allows + version 1.2 of the protocol to be used when terminating or creating TLS + connections. You can change the value with the ssl_protocol variable.