Force force-tlsv12 only

Secure by default

Change-Id: Id8262de092f0f2820a4cedab6f9d0e48a0c06f3a
This commit is contained in:
Matthew Thode 2018-12-17 09:49:42 -06:00
parent 83959f3aa7
commit 21e4fdfd0c
No known key found for this signature in database
GPG Key ID: 64A37BEAAE19A4E8
2 changed files with 8 additions and 1 deletions

View File

@ -147,7 +147,7 @@ gnocchi_ssl: false
gnocchi_ssl_cert: /etc/ssl/certs/gnocchi.pem
gnocchi_ssl_key: /etc/ssl/private/gnocchi.key
gnocchi_ssl_ca_cert: /etc/ssl/certs/gnocchi-ca.pem
gnocchi_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
gnocchi_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}"
gnocchi_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it

View File

@ -0,0 +1,7 @@
---
security:
- |
The default TLS version has been set to TLS1.2. This only allows
version 1.2 of the protocol to be used when terminating or creating TLS
connections. You can change the value with the gnocchi_ssl_protocol
variable.