OSSN-0039 Prevent POODLE attacks

Allow SSL protocol attribute, default to only TLS. Backport of Original Change-Id: I58758e99ea1256aeefff27d441b0a527169829b5 to stable/havana Change-Id: I8feeae6fd19a8b0d9206178baccb75f84a89d419 Closes-Bug: #1384438
2014-11-19 13:52:50 -06:00 · 2014-11-19 13:52:50 -06:00 · 0fe72f1fcf
parent 0f62501895
commit 0fe72f1fcf
5 changed files with 13 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,10 @@ openstack-dashboard Cookbook CHANGELOG
 ==============================
 This file is used to list changes made in each version of the openstack-dashboard cookbook.

+## 8.1.2
+### Bug
+* Set default to use only TLS for SSL. OpenStack security note OSSN-0039
+
 ## 8.1.1
 ### Bug
 * Fix the DB2 ODBC driver issue
--- a/attributes/default.rb
+++ b/attributes/default.rb
@ -38,6 +38,8 @@ default['openstack']['dashboard']['server_hostname'] = nil
 default['openstack']['dashboard']['use_ssl'] = true
 default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem'
 default['openstack']['dashboard']['ssl']['key'] = 'horizon.key'
+# Which versions of the SSL/TLS protocol will be accepted in new connections.
+default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'

 # List of hosts/domains the dashboard can serve. This should be changed, a '*'
 # allows everything
--- a/metadata.rb
+++ b/metadata.rb
@ -4,7 +4,7 @@ maintainer_email 'cookbooks@lists.tfoundry.com'
 license          'Apache 2.0'
 description      'Installs/Configures the OpenStack Dasboard (Horizon)'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '8.1.1'
+version          '8.1.2'

 recipe           'openstack-dashboard::server', 'Sets up the Horizon dashboard within an Apache `mod_wsgi` container.'

@ -12,5 +12,5 @@ recipe           'openstack-dashboard::server', 'Sets up the Horizon dashboard w
  supports os
 end

-depends          'apache2'
+depends          'apache2', '< 2.0.0'
 depends          'openstack-common', '~> 8.0'
--- a/spec/server_spec.rb
+++ b/spec/server_spec.rb
@ -241,6 +241,10 @@ describe 'openstack-dashboard::server' do
        expect(chef_run).to render_file(file.name).with_content('autogenerated')
      end

+      it 'has the ssl protocol default' do
+        expect(chef_run).to render_file(file.name).with_content(/^\s*SSLProtocol All -SSLv2 -SSLv3$/)
+      end
+
      it 'has the default DocRoot' do
        expect(chef_run).to render_file(file.name)
        .with_content('DocumentRoot /usr/share/openstack-dashboard/openstack_dashboard/.blackhole/')
--- a/templates/default/dash-site.erb
+++ b/templates/default/dash-site.erb
@ -58,6 +58,7 @@ NameVirtualHost *:<%= node['openstack']['dashboard']['https_port'].to_i%>
  SSLEngine on
  SSLCertificateFile <%= @ssl_cert_file %>
  SSLCertificateKeyFile <%= @ssl_key_file %>
+  SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %>
  <% end %>

  # Allow custom files to overlay the site (such as logo.png)