Force force-tlsv12 only

Secure by default

Change-Id: I507a25114481ff0c6b229eeea980785a45dad460
This commit is contained in:
Matthew Thode 2018-12-17 09:57:03 -06:00
parent 7b27f7ba30
commit 05d9f6a032
No known key found for this signature in database
GPG Key ID: 64A37BEAAE19A4E8
2 changed files with 7 additions and 1 deletions

View File

@ -16,6 +16,6 @@
## SSL ## SSL
# These do not need to be configured unless you're creating certificates for # These do not need to be configured unless you're creating certificates for
# services running behind Apache (currently, Horizon and Keystone). # services running behind Apache (currently, Horizon and Keystone).
ssl_protocol: "ALL -SSLv2 -SSLv3" ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1"
# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS" ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"

View File

@ -0,0 +1,6 @@
---
security:
- |
The default TLS version has been set to TLS1.2. This only allows
version 1.2 of the protocol to be used when terminating or creating TLS
connections. You can change the value with the ssl_protocol variable.