OSSN-0039 Prevent POODLE attacks
Allow SSL protocol attribute, default to only TLS. Backport of Original Change-Id: I58758e99ea1256aeefff27d441b0a527169829b5 to stable/havana Change-Id: I8feeae6fd19a8b0d9206178baccb75f84a89d419 Closes-Bug: #1384438
This commit is contained in:
parent
0f62501895
commit
0fe72f1fcf
|
@ -2,6 +2,10 @@ openstack-dashboard Cookbook CHANGELOG
|
|||
==============================
|
||||
This file is used to list changes made in each version of the openstack-dashboard cookbook.
|
||||
|
||||
## 8.1.2
|
||||
### Bug
|
||||
* Set default to use only TLS for SSL. OpenStack security note OSSN-0039
|
||||
|
||||
## 8.1.1
|
||||
### Bug
|
||||
* Fix the DB2 ODBC driver issue
|
||||
|
|
|
@ -38,6 +38,8 @@ default['openstack']['dashboard']['server_hostname'] = nil
|
|||
default['openstack']['dashboard']['use_ssl'] = true
|
||||
default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem'
|
||||
default['openstack']['dashboard']['ssl']['key'] = 'horizon.key'
|
||||
# Which versions of the SSL/TLS protocol will be accepted in new connections.
|
||||
default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
|
||||
|
||||
# List of hosts/domains the dashboard can serve. This should be changed, a '*'
|
||||
# allows everything
|
||||
|
|
|
@ -4,7 +4,7 @@ maintainer_email 'cookbooks@lists.tfoundry.com'
|
|||
license 'Apache 2.0'
|
||||
description 'Installs/Configures the OpenStack Dasboard (Horizon)'
|
||||
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
||||
version '8.1.1'
|
||||
version '8.1.2'
|
||||
|
||||
recipe 'openstack-dashboard::server', 'Sets up the Horizon dashboard within an Apache `mod_wsgi` container.'
|
||||
|
||||
|
@ -12,5 +12,5 @@ recipe 'openstack-dashboard::server', 'Sets up the Horizon dashboard w
|
|||
supports os
|
||||
end
|
||||
|
||||
depends 'apache2'
|
||||
depends 'apache2', '< 2.0.0'
|
||||
depends 'openstack-common', '~> 8.0'
|
||||
|
|
|
@ -241,6 +241,10 @@ describe 'openstack-dashboard::server' do
|
|||
expect(chef_run).to render_file(file.name).with_content('autogenerated')
|
||||
end
|
||||
|
||||
it 'has the ssl protocol default' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^\s*SSLProtocol All -SSLv2 -SSLv3$/)
|
||||
end
|
||||
|
||||
it 'has the default DocRoot' do
|
||||
expect(chef_run).to render_file(file.name)
|
||||
.with_content('DocumentRoot /usr/share/openstack-dashboard/openstack_dashboard/.blackhole/')
|
||||
|
|
|
@ -58,6 +58,7 @@ NameVirtualHost *:<%= node['openstack']['dashboard']['https_port'].to_i%>
|
|||
SSLEngine on
|
||||
SSLCertificateFile <%= @ssl_cert_file %>
|
||||
SSLCertificateKeyFile <%= @ssl_key_file %>
|
||||
SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %>
|
||||
<% end %>
|
||||
|
||||
# Allow custom files to overlay the site (such as logo.png)
|
||||
|
|
Loading…
Reference in New Issue