summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergii Rizvan <srizvan@mirantis.com>2017-03-31 13:44:55 +0300
committerSergii Rizvan <srizvan@mirantis.com>2017-03-31 14:12:24 +0300
commit7261e43577da1db39744c64ee0c37f2121182c1e (patch)
treeac68ddb8d2d4482bba84115f95be5f684fe8bd06
parent9b13f574eaac8d06cf0ec96651108edb49a7caa8 (diff)
Exclude anonymous cipher suites from Cobbler SSL configuration
The server used to be configured to support anonymous cipher suites with no key authentication. These ciphers are highly vulnerable to man in the middle attacks. New configuration applies only strong cipher suites on SSL server. Change-Id: I8ecac040a77614fd78188995a873b85c94781411 Closes-Bug: #1646761
Notes
Notes (review): Code-Review+1: Adam Heczko <aheczko@mirantis.com> Code-Review+1: Michael Polenchuk <mpolenchuk@mirantis.com> Verified+1: Fuel CI <fuel-ci-bot@mirantis.com> Code-Review+1: Denis Egorenko <degorenko@mirantis.com> Code-Review+2: Stanislaw Bogatkin <sbogatkin@mirantis.com> Workflow+1: Vladimir Kuklin <vkuklin@mirantis.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Tue, 18 Apr 2017 15:40:08 +0000 Reviewed-on: https://review.openstack.org/452144 Project: openstack/fuel-library Branch: refs/heads/master
-rw-r--r--deployment/puppet/cobbler/manifests/apache.pp2
-rw-r--r--deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb3
2 files changed, 2 insertions, 3 deletions
diff --git a/deployment/puppet/cobbler/manifests/apache.pp b/deployment/puppet/cobbler/manifests/apache.pp
index 4bba28c..452b79b 100644
--- a/deployment/puppet/cobbler/manifests/apache.pp
+++ b/deployment/puppet/cobbler/manifests/apache.pp
@@ -60,7 +60,7 @@ class cobbler::apache {
60 ], 60 ],
61 custom_fragment => ' 61 custom_fragment => '
62 CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"', 62 CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"',
63 ssl_cipher => 'ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH', 63 ssl_cipher => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS',
64 setenvif => ['User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0'], 64 setenvif => ['User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0'],
65 } 65 }
66} 66}
diff --git a/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb b/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb
index 2eacda1..699e0de 100644
--- a/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb
+++ b/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb
@@ -102,7 +102,7 @@ describe "cobbler::apache" do
102 :ssl_cert => "/var/lib/fuel/keys/master/cobbler/cobbler.crt", 102 :ssl_cert => "/var/lib/fuel/keys/master/cobbler/cobbler.crt",
103 :ssl_key => "/var/lib/fuel/keys/master/cobbler/cobbler.key", 103 :ssl_key => "/var/lib/fuel/keys/master/cobbler/cobbler.key",
104 :rewrites => ssl_rewrites, 104 :rewrites => ssl_rewrites,
105 :ssl_cipher => "ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH", 105 :ssl_cipher => "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS",
106 :setenvif => ["User-Agent \".*MSIE.*\" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0"], 106 :setenvif => ["User-Agent \".*MSIE.*\" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0"],
107 ) 107 )
108 end 108 end
@@ -119,4 +119,3 @@ describe "cobbler::apache" do
119 end 119 end
120 120
121end 121end
122