OSSN-0039 Prevent POODLE attacks
Allow SSL protocol attribute, default to only TLS. Change-Id: I58758e99ea1256aeefff27d441b0a527169829b5 Closes-Bug: #1384438
This commit is contained in:
parent
81125daae5
commit
f2f6bf0a36
|
@ -17,6 +17,7 @@ This file is used to list changes made in each version of the openstack-dashboar
|
|||
* Bump Chef gem to 11.16
|
||||
* Add sensitive flag to local_settings file resource
|
||||
* allow override of the temporary directory used for file uploads
|
||||
* Set default to use only TLS for SSL. OpenStack security note OSSN-0039
|
||||
|
||||
## 9.1
|
||||
* python_packages database client attributes have been moved to the -common cookbook
|
||||
|
|
|
@ -44,6 +44,8 @@ default['openstack']['dashboard']['ssl']['key_url'] = nil
|
|||
# they need to be manually set below, if not the conventional horizon.* names will be used.
|
||||
default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem'
|
||||
default['openstack']['dashboard']['ssl']['key'] = 'horizon.key'
|
||||
# Which versions of the SSL/TLS protocol will be accepted in new connections.
|
||||
default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
|
||||
|
||||
# List of hosts/domains the dashboard can serve. This should be changed, a '*'
|
||||
# allows everything
|
||||
|
|
|
@ -665,14 +665,25 @@ describe 'openstack-dashboard::server' do
|
|||
end
|
||||
end
|
||||
|
||||
it 'shows ssl certificate related directives' do
|
||||
it 'shows ssl certificate related directives defaults' do
|
||||
[/^\s*SSLEngine on$/,
|
||||
%r(^\s*SSLCertificateFile /etc/ssl/certs/horizon.pem$),
|
||||
%r(^\s*SSLCertificateKeyFile /etc/ssl/private/horizon.key$),
|
||||
/^\s*SSLProtocol All -SSLv2 -SSLv3$/].each do |ssl_certificate_directive|
|
||||
expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive)
|
||||
end
|
||||
end
|
||||
|
||||
it 'shows ssl certificate related directives overrides' do
|
||||
node.set['openstack']['dashboard']['ssl']['dir'] = 'ssl_dir_value'
|
||||
node.set['openstack']['dashboard']['ssl']['cert'] = 'ssl_cert_value'
|
||||
node.set['openstack']['dashboard']['ssl']['key'] = 'ssl_key_value'
|
||||
node.set['openstack']['dashboard']['ssl']['protocol'] = 'ssl_protocol_value'
|
||||
|
||||
[/^\s*SSLEngine on$/,
|
||||
%r(^\s*SSLCertificateFile ssl_dir_value/certs/ssl_cert_value$),
|
||||
%r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$)].each do |ssl_certificate_directive|
|
||||
%r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$),
|
||||
/^\s*SSLProtocol ssl_protocol_value$/].each do |ssl_certificate_directive|
|
||||
expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -58,6 +58,7 @@ NameVirtualHost *:<%= node['openstack']['dashboard']['https_port'].to_i%>
|
|||
SSLEngine on
|
||||
SSLCertificateFile <%= @ssl_cert_file %>
|
||||
SSLCertificateKeyFile <%= @ssl_key_file %>
|
||||
SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %>
|
||||
<% end %>
|
||||
|
||||
# Allow custom files to overlay the site (such as logo.png)
|
||||
|
|
Loading…
Reference in New Issue