Disallow SSLv2, SSLv3 and TLS1.0 in httpd for FedRAMP compliance.

We now enforce TLS1.1 or higher for httpd connections, to meet the
requirements for FedRAMP.

Change-Id: If875822f1cb705d17405621e64fea2536edc142a
Related-Bug: #1754368
This commit is contained in:
Juan Antonio Osorio Robles 2018-04-19 09:51:20 +03:00
parent 628cd0e390
commit 1b54e4b5a7

View File

@ -104,6 +104,7 @@ outputs:
- -
generate_service_certificates: true generate_service_certificates: true
apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile} apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1']
tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd' tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd' tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
apache_certificates_specs: apache_certificates_specs: