From 7ccbfe76a62578d1414131ef895db0723fd2b3a4 Mon Sep 17 00:00:00 2001 From: Mark Vanderwiel Date: Thu, 23 Apr 2015 10:44:01 -0500 Subject: [PATCH] Allow ssl ciphers to be optionally configured for horizon Add the SSLCipherSuite to the dash-site template. Change-Id: I7b87761dd1ab0618e6ae6de428ec0b736e4aa483 Closes-Bug: #1447668 --- attributes/default.rb | 3 +++ spec/apache2-server_spec.rb | 12 +++++++++--- templates/default/dash-site.erb | 7 +++++-- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 6f62070..3d6aec7 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -52,6 +52,9 @@ default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem' default['openstack']['dashboard']['ssl']['key'] = 'horizon.key' # Which versions of the SSL/TLS protocol will be accepted in new connections. default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3' +# Which ciphers to use with the SSL/TLS protocol. +# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA' +default['openstack']['dashboard']['ssl']['ciphers'] = nil # List of hosts/domains the dashboard can serve. This should be changed, a '*' # allows everything diff --git a/spec/apache2-server_spec.rb b/spec/apache2-server_spec.rb index ddf89df..91fc36d 100644 --- a/spec/apache2-server_spec.rb +++ b/spec/apache2-server_spec.rb @@ -218,17 +218,23 @@ describe 'openstack-dashboard::apache2-server' do end end - it 'shows ssl certificate related directives overrides' do + it 'has no ssl ciphers configured by default' do + expect(chef_run).not_to render_file(file.name).with_content(/^\s*SSLCipherSuite.*$/) + end + + it 'shows ssl related directives overrides' do node.set['openstack']['dashboard']['ssl']['dir'] = 'ssl_dir_value' node.set['openstack']['dashboard']['ssl']['cert'] = 'ssl_cert_value' node.set['openstack']['dashboard']['ssl']['key'] = 'ssl_key_value' node.set['openstack']['dashboard']['ssl']['protocol'] = 'ssl_protocol_value' + node.set['openstack']['dashboard']['ssl']['ciphers'] = 'ssl_ciphers_value' [/^\s*SSLEngine on$/, %r(^\s*SSLCertificateFile ssl_dir_value/certs/ssl_cert_value$), %r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$), - /^\s*SSLProtocol ssl_protocol_value$/].each do |ssl_certificate_directive| - expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive) + /^\s*SSLProtocol ssl_protocol_value$/, + /^\s*SSLCipherSuite ssl_ciphers_value$/].each do |ssl_directive| + expect(chef_run).to render_file(file.name).with_content(ssl_directive) end end end diff --git a/templates/default/dash-site.erb b/templates/default/dash-site.erb index 0ced221..d7af730 100644 --- a/templates/default/dash-site.erb +++ b/templates/default/dash-site.erb @@ -63,12 +63,15 @@ NameVirtualHost <%= @https_bind_address %>:<%= @https_bind_port %> <% end -%> - <% if node["openstack"]["dashboard"]["use_ssl"] %> + <% if node["openstack"]["dashboard"]["use_ssl"] -%> SSLEngine on SSLCertificateFile <%= @ssl_cert_file %> SSLCertificateKeyFile <%= @ssl_key_file %> SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %> - <% end %> + <% if node["openstack"]["dashboard"]["ssl"]["ciphers"] -%> + SSLCipherSuite <%= node["openstack"]["dashboard"]["ssl"]["ciphers"] %> + <% end -%> + <% end -%> # Allow custom files to overlay the site (such as logo.png) RewriteEngine On