From 56e7fb66611516bd719fe882bacf2b4b1aa45cb5 Mon Sep 17 00:00:00 2001
From: Ian Cordasco <ian.cordasco@rackspace.com>
Date: Fri, 27 Mar 2015 16:51:23 -0500
Subject: [PATCH] Harden Keystone's Apache config

Previously the keystone-httpd.conf was only blacklisting SSLv2 and was
allowing suboptimal (and in some cases, prohibited) cipher suites (e.g.,
RC4).

Change-Id: I4456bc1a0056da051947977a26dd6d57c549e421
Closes-bug: 1437481
---
 playbooks/roles/os_keystone/defaults/main.yml          |  3 +++
 .../roles/os_keystone/templates/keystone-httpd.conf.j2 | 10 ++++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml
index 01bc432390..54cd18856d 100644
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@@ -111,6 +111,9 @@ keystone_ssl_enabled: false
 keystone_ssl_cert: /etc/ssl/certs/apache.cert
 keystone_ssl_key: /etc/ssl/private/apache.key
 keystone_ssl_cert_path: /etc/ssl/certs
+keystone_ssl_protocol: "ALL -SSLv2 -SSLv3"
+# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+keystone_ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
 
 ## Caching
 # If set this will enable dog pile cache for keystone.
diff --git a/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2 b/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2
index 1a98a8c731..4597623e32 100644
--- a/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2
@@ -18,8 +18,9 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
     SSLCARevocationPath   {{ keystone_ssl_cert_path }}
     SSLVerifyClient optional
     SSLVerifyDepth 10
-    SSLProtocol all -SSLv2
-    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+    SSLProtocol {{ keystone_ssl_protocol }}
+    SSLHonorCipherOrder On
+    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
     SSLOptions +StdEnvVars +ExportCertData
     {% endif %}
 
@@ -41,8 +42,9 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
     SSLCARevocationPath   {{ keystone_ssl_cert_path }}
     SSLVerifyClient optional
     SSLVerifyDepth 10
-    SSLProtocol all -SSLv2
-    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+    SSLProtocol {{ keystone_ssl_protocol }}
+    SSLHonorCipherOrder On
+    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
     SSLOptions +StdEnvVars +ExportCertData
     {% endif %}