From 0495961558411a252401503f6ebf19d0c333ed02 Mon Sep 17 00:00:00 2001
From: Jimmy McCrory <jimmy.mccrory@gmail.com>
Date: Thu, 9 Feb 2017 16:59:30 -0800
Subject: [PATCH] Remove 3DES from ssl_cipher_suite

Triple-DES is a vulnerable cipher and should be disabled by default.

https://sweet32.info/
https://www.openssl.org/blog/blog/2016/08/24/sweet32/

Change-Id: I3171abf6c630f287653e7d80f4ba3ff1cc8db375
---
 playbooks/inventory/group_vars/all.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/playbooks/inventory/group_vars/all.yml b/playbooks/inventory/group_vars/all.yml
index 0e1f9d4a8b..7aace3812a 100644
--- a/playbooks/inventory/group_vars/all.yml
+++ b/playbooks/inventory/group_vars/all.yml
@@ -100,7 +100,7 @@ openstack_service_publicuri_proto: https
 # services running behind Apache (currently, Horizon and Keystone).
 ssl_protocol: "ALL -SSLv2 -SSLv3"
 # Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
 
 ## Region Name
 service_region: RegionOne