Disallow SSLv2, SSLv3 and TLS1.0 in httpd for FedRAMP compliance.

We now enforce TLS1.1 or higher for httpd connections, to meet the requirements for FedRAMP. Change-Id: If875822f1cb705d17405621e64fea2536edc142a Related-Bug: #1754368 (cherry picked from commit 1b54e4b5a7)
2018-04-19 09:51:20 +03:00 · 2018-04-19 09:51:20 +03:00 · 17be56bc19
parent 0a2692b6fe
commit 17be56bc19
1 changed files with 1 additions and 0 deletions
--- a/puppet/services/apache.j2.yaml
+++ b/puppet/services/apache.j2.yaml
@ -98,6 +98,7 @@ outputs:
            -
              generate_service_certificates: true
              apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
+              apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1']
              tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
              tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
              apache_certificates_specs: