Force force-tlsv12 only

Secure by default Change-Id: I507a25114481ff0c6b229eeea980785a45dad460
2018-12-17 09:57:03 -06:00 · 2018-12-17 09:57:03 -06:00 · 05d9f6a032
parent 7b27f7ba30
commit 05d9f6a032
2 changed files with 7 additions and 1 deletions
--- a/inventory/group_vars/all/ssl.yml
+++ b/inventory/group_vars/all/ssl.yml
@ -16,6 +16,6 @@
 ## SSL
 # These do not need to be configured unless you're creating certificates for
 # services running behind Apache (currently, Horizon and Keystone).
-ssl_protocol: "ALL -SSLv2 -SSLv3"
+ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1"
 # Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
--- a/releasenotes/notes/tls12-only-08825fd013f0a244.yaml
+++ b/releasenotes/notes/tls12-only-08825fd013f0a244.yaml
@ -0,0 +1,6 @@
+---
+security:
+  - |
+    The default TLS version has been set to TLS1.2.  This only allows
+    version 1.2 of the protocol to be used when terminating or creating TLS
+    connections.  You can change the value with the ssl_protocol variable.