Switch to TLSv1 as SSLv3 is considered insecure and is disabled by default

Rabbitmq won't talk to us anymore if we try to use SSLv3 as it disabled support for SSLv3. Openstack components use python's openssl implementation which does not support TLSv1.1 and TLSv1.2 yet so we just switch to TLSv1. Support for newer TLS should come with python 2.7.9+ Closes-Bug: #1409667 Change-Id: Id12adbc7f75940b2f6bd01e6080c853b15cf2116
2015-01-02 22:44:28 +01:00 · 2015-01-02 22:44:28 +01:00 · f2b115c566
commit f2b115c566
parent 5002282fd8
2 changed files with 6 additions and 6 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -137,7 +137,7 @@
 #   (optional) SSL version to use (valid only if SSL enabled).
 #   Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
 #   available on some distributions.
-#   Defaults to 'SSLv3'
+#   Defaults to 'TLSv1'
 #
 # [*kombu_reconnect_delay*]
 #   (optional) The amount of time to wait before attempting to reconnect
@ -239,7 +239,7 @@ class neutron (
  $kombu_ssl_ca_certs          = undef,
  $kombu_ssl_certfile          = undef,
  $kombu_ssl_keyfile           = undef,
-  $kombu_ssl_version           = 'SSLv3',
+  $kombu_ssl_version           = 'TLSv1',
  $kombu_reconnect_delay       = '1.0',
  $qpid_hostname               = 'localhost',
  $qpid_port                   = '5672',
--- a/spec/classes/neutron_init_spec.rb
+++ b/spec/classes/neutron_init_spec.rb
@ -229,7 +229,7 @@ describe 'neutron' do
        :kombu_ssl_ca_certs => '/path/to/ssl/ca/certs',
        :kombu_ssl_certfile => '/path/to/ssl/cert/file',
        :kombu_ssl_keyfile  => '/path/to/ssl/keyfile',
-        :kombu_ssl_version  => 'SSLv3'
+        :kombu_ssl_version  => 'TLSv1'
      )
    end

@ -238,7 +238,7 @@ describe 'neutron' do
      should contain_neutron_config('DEFAULT/kombu_ssl_ca_certs').with_value('/path/to/ssl/ca/certs')
      should contain_neutron_config('DEFAULT/kombu_ssl_certfile').with_value('/path/to/ssl/cert/file')
      should contain_neutron_config('DEFAULT/kombu_ssl_keyfile').with_value('/path/to/ssl/keyfile')
-      should contain_neutron_config('DEFAULT/kombu_ssl_version').with_value('SSLv3')
+      should contain_neutron_config('DEFAULT/kombu_ssl_version').with_value('TLSv1')
    end
  end

@ -254,7 +254,7 @@ describe 'neutron' do
      should contain_neutron_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent')
      should contain_neutron_config('DEFAULT/kombu_ssl_certfile').with_ensure('absent')
      should contain_neutron_config('DEFAULT/kombu_ssl_keyfile').with_ensure('absent')
-      should contain_neutron_config('DEFAULT/kombu_ssl_version').with_value('SSLv3')
+      should contain_neutron_config('DEFAULT/kombu_ssl_version').with_value('TLSv1')
    end
  end

@ -262,7 +262,7 @@ describe 'neutron' do
    before do
      params.merge!(
        :rabbit_use_ssl     => false,
-        :kombu_ssl_version  => 'SSLv3'
+        :kombu_ssl_version  => 'TLSv1'
      )
    end