OSSN-0039 Prevent POODLE attacks

Allow SSL protocol attribute, default to only TLS. Change-Id: I58758e99ea1256aeefff27d441b0a527169829b5 Closes-Bug: #1384438
2014-10-22 15:18:37 -05:00 · 2014-10-22 15:18:37 -05:00 · f2f6bf0a36
parent 81125daae5
commit f2f6bf0a36
4 changed files with 17 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -17,6 +17,7 @@ This file is used to list changes made in each version of the openstack-dashboar
 * Bump Chef gem to 11.16
 * Add sensitive flag to local_settings file resource
 * allow override of the temporary directory used for file uploads
+* Set default to use only TLS for SSL. OpenStack security note OSSN-0039

 ## 9.1
 * python_packages database client attributes have been moved to the -common cookbook
--- a/attributes/default.rb
+++ b/attributes/default.rb
@ -44,6 +44,8 @@ default['openstack']['dashboard']['ssl']['key_url'] = nil
 # they need to be manually set below, if not the conventional horizon.* names will be used.
 default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem'
 default['openstack']['dashboard']['ssl']['key'] = 'horizon.key'
+# Which versions of the SSL/TLS protocol will be accepted in new connections.
+default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'

 # List of hosts/domains the dashboard can serve. This should be changed, a '*'
 # allows everything
--- a/spec/server_spec.rb
+++ b/spec/server_spec.rb
@ -665,14 +665,25 @@ describe 'openstack-dashboard::server' do
            end
          end

-          it 'shows ssl certificate related directives' do
+          it 'shows ssl certificate related directives defaults' do
+            [/^\s*SSLEngine on$/,
+             %r(^\s*SSLCertificateFile /etc/ssl/certs/horizon.pem$),
+             %r(^\s*SSLCertificateKeyFile /etc/ssl/private/horizon.key$),
+             /^\s*SSLProtocol All -SSLv2 -SSLv3$/].each do |ssl_certificate_directive|
+              expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive)
+            end
+          end
+
+          it 'shows ssl certificate related directives overrides' do
            node.set['openstack']['dashboard']['ssl']['dir'] = 'ssl_dir_value'
            node.set['openstack']['dashboard']['ssl']['cert'] = 'ssl_cert_value'
            node.set['openstack']['dashboard']['ssl']['key'] = 'ssl_key_value'
+            node.set['openstack']['dashboard']['ssl']['protocol'] = 'ssl_protocol_value'

            [/^\s*SSLEngine on$/,
             %r(^\s*SSLCertificateFile ssl_dir_value/certs/ssl_cert_value$),
-             %r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$)].each do |ssl_certificate_directive|
+             %r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$),
+             /^\s*SSLProtocol ssl_protocol_value$/].each do |ssl_certificate_directive|
              expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive)
            end
          end
--- a/templates/default/dash-site.erb
+++ b/templates/default/dash-site.erb
@ -58,6 +58,7 @@ NameVirtualHost *:<%= node['openstack']['dashboard']['https_port'].to_i%>
  SSLEngine on
  SSLCertificateFile <%= @ssl_cert_file %>
  SSLCertificateKeyFile <%= @ssl_key_file %>
+  SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %>
  <% end %>

  # Allow custom files to overlay the site (such as logo.png)