From 599727704ab8250b6a5ce53917d1e0d24296dcd0 Mon Sep 17 00:00:00 2001
From: Matthew Thode <mthode@mthode.org>
Date: Thu, 6 Dec 2018 10:21:51 -0600
Subject: [PATCH] Force force-tlsv12 only

Secure by default

Change-Id: I8e1e26291be2a5d2b3153a853c21965d54eac3e9
---
 defaults/main.yml                                   | 2 +-
 releasenotes/notes/tls12-only-75222cbe8c32ad57.yaml | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/tls12-only-75222cbe8c32ad57.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 7a063f95..62585f9a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -244,7 +244,7 @@ keystone_ssl: false
 keystone_ssl_cert: /etc/ssl/certs/keystone.pem
 keystone_ssl_key: /etc/ssl/private/keystone.key
 keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
-keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1 TLSv1.1 TLSv1.2', 'ALL -SSLv2 -SSLv3') }}"
+keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1.2', 'ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}"
 keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
 
 # if using a self-signed certificate, set this to true to regenerate it
diff --git a/releasenotes/notes/tls12-only-75222cbe8c32ad57.yaml b/releasenotes/notes/tls12-only-75222cbe8c32ad57.yaml
new file mode 100644
index 00000000..f6b52982
--- /dev/null
+++ b/releasenotes/notes/tls12-only-75222cbe8c32ad57.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The default TLS verion has been set to TLS1.2.  This only allows
+    version 1.2 of the protocol to be used when terminating or creating TLS
+    connections.  You can change the value with the keystone_ssl_protocol
+    variable.