From 0d74b74bfc29a4eb931ca60a9cecb76e5f746801 Mon Sep 17 00:00:00 2001 From: Andrew Bonney Date: Mon, 10 Jan 2022 08:14:09 +0000 Subject: [PATCH] Add defaults for TLS 1.3 and rename TLS <= 1.2 variable TLS v1.3 uses different (incompatible) cipher suite names, so a new variable is added to set these in roles which require them. TLS v1.2 and below is still required, but the variable name is changed to avoid confusion, whilst using the old name as a default if set by a user deployment. Change-Id: I9312daa7ca75e484f8aa3857fe43565c89e3f09a --- inventory/group_vars/all/ssl.yml | 5 +++-- releasenotes/notes/tls_variables-991aec792d58eeb9.yaml | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/tls_variables-991aec792d58eeb9.yaml diff --git a/inventory/group_vars/all/ssl.yml b/inventory/group_vars/all/ssl.yml index db40746fcb..c4c52e9052 100644 --- a/inventory/group_vars/all/ssl.yml +++ b/inventory/group_vars/all/ssl.yml @@ -18,7 +18,8 @@ # services running behind Apache (currently, Horizon and Keystone). ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" # Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ -ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS" +ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" +ssl_cipher_suite_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" #variables used in OSA roles which call the PKI role openstack_pki_dir: "/etc/openstack_deploy/pki" @@ -63,4 +64,4 @@ openstack_pki_authorities: #install the root CA certificate on all hosts and containers openstack_pki_install_ca: - - name: "ExampleCorpRoot" \ No newline at end of file + - name: "ExampleCorpRoot" diff --git a/releasenotes/notes/tls_variables-991aec792d58eeb9.yaml b/releasenotes/notes/tls_variables-991aec792d58eeb9.yaml new file mode 100644 index 0000000000..57a5b6184c --- /dev/null +++ b/releasenotes/notes/tls_variables-991aec792d58eeb9.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + A new 'ssl_cipher_suite_tls13' variable is added for global control of + TLS v1.3 cipher suites. +deprecations: + - | + The variable 'ssl_cipher_suite' is deprecated in favour of + 'ssl_cipher_suite_tls12' which will continue to manage configuration of + ciphers for TLS v1.2 and earlier.