From 1b54e4b5a72446cd92042485a48cb82cc451a475 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Thu, 19 Apr 2018 09:51:20 +0300 Subject: [PATCH] Disallow SSLv2, SSLv3 and TLS1.0 in httpd for FedRAMP compliance. We now enforce TLS1.1 or higher for httpd connections, to meet the requirements for FedRAMP. Change-Id: If875822f1cb705d17405621e64fea2536edc142a Related-Bug: #1754368 --- puppet/services/apache.j2.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/services/apache.j2.yaml b/puppet/services/apache.j2.yaml index 3b2572c2b9..91ab0a04e6 100644 --- a/puppet/services/apache.j2.yaml +++ b/puppet/services/apache.j2.yaml @@ -104,6 +104,7 @@ outputs: - generate_service_certificates: true apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile} + apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1'] tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd' tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd' apache_certificates_specs: