openstack
/
openstack-ansible-os_keystone
Code Issues Proposed changes

Merge "Force force-tlsv12 only"

This commit is contained in:
Zuul 2018-12-12 18:03:16 +00:00 committed by Gerrit Code Review
parent 10855c374f 599727704a
commit 4fc73bd711
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -244,7 +244,7 @@ keystone_ssl: false
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
keystone_ssl_key: /etc/ssl/private/keystone.key
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1 TLSv1.1 TLSv1.2', 'ALL -SSLv2 -SSLv3') }}"
keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1.2', 'ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}"
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it

7
releasenotes/notes/tls12-only-75222cbe8c32ad57.yaml Normal file
View File

@ -0,0 +1,7 @@
---
security:
- |
The default TLS verion has been set to TLS1.2. This only allows
version 1.2 of the protocol to be used when terminating or creating TLS
connections. You can change the value with the keystone_ssl_protocol
variable.