From f2c5ffe7b192b547f54b5da7f55b4be16890360a Mon Sep 17 00:00:00 2001 From: Ian Cordasco Date: Wed, 8 Apr 2015 17:12:37 -0500 Subject: [PATCH] Genericize how we update SSL settings for Apache In I4456bc1a0056da051947977a26dd6d57c549e421 we hardened Keystone's Apache SSL settings. In order to keep all Apache SSL settings uniformly configured, we also need to update Horizon's settings and centralize where we define the cipher suite that the server supports and the preferred protocol versions. We also explicitly disable SSLCompression even though we tend to only test against versions of Apache that have this off by default. If someone uses a version after 2.2.24 or uses 2.4.3, they would otherwise have to explicitly turn this off. Preferring security by default, we disable it explicitly to prevent insecure installations anywhere. We also document how users can override specific service SSL settings in the event one service needs to support older clients that require certain protocols or ciphers. For example, it's very plausible that an organization may need to enable RC4 and SSLv3 for Horizon since their users are still using XP and an old version of Internet Explorer. Related-Bug: 1437481 Change-Id: I85843452935710083253847d6e11f85e9d6d2e84 --- etc/openstack_deploy/user_variables.yml | 13 +++++++++++++ playbooks/roles/os_horizon/defaults/main.yml | 2 ++ .../templates/openstack_dashboard.conf.j2 | 3 ++- playbooks/roles/os_keystone/defaults/main.yml | 5 ++--- .../os_keystone/templates/keystone-httpd.conf.j2 | 2 ++ 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/etc/openstack_deploy/user_variables.yml b/etc/openstack_deploy/user_variables.yml index e174045155..05ed5e55a1 100644 --- a/etc/openstack_deploy/user_variables.yml +++ b/etc/openstack_deploy/user_variables.yml @@ -38,3 +38,16 @@ glance_swift_store_endpoint_type: internalURL ## Swift # This will allow all users to create containers and upload to swift if set to True swift_allow_all_users: False + +## Apache SSL Settings +# These do not need to be configured unless you're creating certificates for +# services running behind Apache (currently, Horizon and Keystone). +ssl_protocol: "ALL -SSLv2 -SSLv3" +# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ +ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" +# To override for Keystone only: +# - keystone_ssl_protocol +# - keystone_ssl_cipher_suite +# To override for Horizon only: +# - horizon_ssl_protocol +# - horizon_ssl_cipher_suite diff --git a/playbooks/roles/os_horizon/defaults/main.yml b/playbooks/roles/os_horizon/defaults/main.yml index c85161f430..38a0ed62ca 100644 --- a/playbooks/roles/os_horizon/defaults/main.yml +++ b/playbooks/roles/os_horizon/defaults/main.yml @@ -60,6 +60,8 @@ horizon_enable_password_retrieve: False horizon_ssl_cert: /etc/ssl/certs/apache.cert horizon_ssl_key: /etc/ssl/private/apache.key horizon_ssl_cert_path: /etc/ssl/certs +horizon_ssl_protocol: "{{ ssl_protocol }}" +horizon_ssl_cipher_suite: "{{ ssl_cipher_suite }}" ## Launch instance horizon_launch_instance_legacy: True diff --git a/playbooks/roles/os_horizon/templates/openstack_dashboard.conf.j2 b/playbooks/roles/os_horizon/templates/openstack_dashboard.conf.j2 index 6cb8187966..4a4dc9c5d0 100644 --- a/playbooks/roles/os_horizon/templates/openstack_dashboard.conf.j2 +++ b/playbooks/roles/os_horizon/templates/openstack_dashboard.conf.j2 @@ -22,9 +22,10 @@ SSLCertificateKeyFile {{ horizon_ssl_key }} SSLCACertificatePath {{ horizon_ssl_cert_path }} SSLCARevocationPath {{ horizon_ssl_cert_path }} + SSLCompression Off SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On - SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" + SSLCipherSuite {{ horizon_ssl_cipher_suite }} SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown WSGIScriptAlias / {{ horizon_lib_dir }}/openstack_dashboard/wsgi/django.wsgi diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml index 54cd18856d..6ac5e89ee6 100644 --- a/playbooks/roles/os_keystone/defaults/main.yml +++ b/playbooks/roles/os_keystone/defaults/main.yml @@ -111,9 +111,8 @@ keystone_ssl_enabled: false keystone_ssl_cert: /etc/ssl/certs/apache.cert keystone_ssl_key: /etc/ssl/private/apache.key keystone_ssl_cert_path: /etc/ssl/certs -keystone_ssl_protocol: "ALL -SSLv2 -SSLv3" -# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ -keystone_ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" +keystone_ssl_protocol: "{{ ssl_protocol }}" +keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}" ## Caching # If set this will enable dog pile cache for keystone. diff --git a/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2 b/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2 index 4597623e32..a5fc9ed4bf 100644 --- a/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2 +++ b/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2 @@ -18,6 +18,7 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr SSLCARevocationPath {{ keystone_ssl_cert_path }} SSLVerifyClient optional SSLVerifyDepth 10 + SSLCompression Off SSLProtocol {{ keystone_ssl_protocol }} SSLHonorCipherOrder On SSLCipherSuite {{ keystone_ssl_cipher_suite }} @@ -42,6 +43,7 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr SSLCARevocationPath {{ keystone_ssl_cert_path }} SSLVerifyClient optional SSLVerifyDepth 10 + SSLCompression Off SSLProtocol {{ keystone_ssl_protocol }} SSLHonorCipherOrder On SSLCipherSuite {{ keystone_ssl_cipher_suite }}