Add parameters for VNC console proxy SSL/TLS settings

This adds new NovaVNCProxySSLCiphers and NovaVNCProxySSLMinimumVersion parameters to manage the allowed TLS ciphers and minimum protocol version to enforce for incoming client connections to the VNC proxy service. Change-Id: Ida03a0aa54ca15b343339d92abb9c105ead8b0b6 Related-Bug: 1842149
2019-09-06 11:11:50 -07:00 · 2019-09-06 11:11:50 -07:00 · 4b4783e730
commit 4b4783e730
parent 96ece6b2b0
2 changed files with 23 additions and 0 deletions
--- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml
+++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml
@ -64,6 +64,21 @@ parameters:
                 the InternalTLSVncProxyCAFile parameter) is not desired. The current
                 default reflects TripleO's default CA, which is FreeIPA.
                 It will only be used if internal TLS is enabled.
+  NovaVNCProxySSLCiphers:
+    type: string
+    default: ''
+    description: OpenSSL cipher preference string that specifies what ciphers
+                 to allow for TLS connections from clients.  See the man page
+                 for the OpenSSL 'ciphers' command for details of the cipher
+                 preference string format and allowed values.
+  NovaVNCProxySSLMinimumVersion:
+    type: string
+    default: ''
+    description: Minimum allowed SSL/TLS protocol version.  Valid values are
+                 'default', 'tlsv1_1', 'tlsv1_2', and 'tlsv1_3'.  A value of
+                 'default' will use the underlying system OpenSSL defaults.
+    constraints:
+    - allowed_values: ['', 'default', 'tlsv1_1', 'tlsv1_2', 'tlsv1_3']
  StackUpdateType:
    type: string
    description: >
@ -156,6 +171,8 @@ outputs:
                nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
                nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
                nova::ssl_only: true
+                nova::console::ssl_ciphers: {get_param: NovaVNCProxySSLCiphers}
+                nova::console::ssl_minimum_version: {get_param: NovaVNCProxySSLMinimumVersion}
                nova::cert: /etc/pki/tls/certs/novnc_proxy.crt
                nova::key: /etc/pki/tls/private/novnc_proxy.key
                generate_service_certificates: true
--- a/releasenotes/notes/add-console-ssl-cipher-protocol-params-d1f50f2c540c3f2b.yaml
+++ b/releasenotes/notes/add-console-ssl-cipher-protocol-params-d1f50f2c540c3f2b.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Added parameters NovaVNCProxySSLCiphers and NovaVNCProxySSLMinimumVersion
+    to manage the allowed TLS ciphers and minimum protocol version to enforce
+    for incoming client connections to the VNC proxy service.