diff --git a/attributes/default.rb b/attributes/default.rb index 6f62070..3d6aec7 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -52,6 +52,9 @@ default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem' default['openstack']['dashboard']['ssl']['key'] = 'horizon.key' # Which versions of the SSL/TLS protocol will be accepted in new connections. default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3' +# Which ciphers to use with the SSL/TLS protocol. +# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA' +default['openstack']['dashboard']['ssl']['ciphers'] = nil # List of hosts/domains the dashboard can serve. This should be changed, a '*' # allows everything diff --git a/spec/apache2-server_spec.rb b/spec/apache2-server_spec.rb index ddf89df..91fc36d 100644 --- a/spec/apache2-server_spec.rb +++ b/spec/apache2-server_spec.rb @@ -218,17 +218,23 @@ describe 'openstack-dashboard::apache2-server' do end end - it 'shows ssl certificate related directives overrides' do + it 'has no ssl ciphers configured by default' do + expect(chef_run).not_to render_file(file.name).with_content(/^\s*SSLCipherSuite.*$/) + end + + it 'shows ssl related directives overrides' do node.set['openstack']['dashboard']['ssl']['dir'] = 'ssl_dir_value' node.set['openstack']['dashboard']['ssl']['cert'] = 'ssl_cert_value' node.set['openstack']['dashboard']['ssl']['key'] = 'ssl_key_value' node.set['openstack']['dashboard']['ssl']['protocol'] = 'ssl_protocol_value' + node.set['openstack']['dashboard']['ssl']['ciphers'] = 'ssl_ciphers_value' [/^\s*SSLEngine on$/, %r(^\s*SSLCertificateFile ssl_dir_value/certs/ssl_cert_value$), %r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$), - /^\s*SSLProtocol ssl_protocol_value$/].each do |ssl_certificate_directive| - expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive) + /^\s*SSLProtocol ssl_protocol_value$/, + /^\s*SSLCipherSuite ssl_ciphers_value$/].each do |ssl_directive| + expect(chef_run).to render_file(file.name).with_content(ssl_directive) end end end diff --git a/templates/default/dash-site.erb b/templates/default/dash-site.erb index 0ced221..d7af730 100644 --- a/templates/default/dash-site.erb +++ b/templates/default/dash-site.erb @@ -63,12 +63,15 @@ NameVirtualHost <%= @https_bind_address %>:<%= @https_bind_port %> <% end -%> - <% if node["openstack"]["dashboard"]["use_ssl"] %> + <% if node["openstack"]["dashboard"]["use_ssl"] -%> SSLEngine on SSLCertificateFile <%= @ssl_cert_file %> SSLCertificateKeyFile <%= @ssl_key_file %> SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %> - <% end %> + <% if node["openstack"]["dashboard"]["ssl"]["ciphers"] -%> + SSLCipherSuite <%= node["openstack"]["dashboard"]["ssl"]["ciphers"] %> + <% end -%> + <% end -%> # Allow custom files to overlay the site (such as logo.png) RewriteEngine On