From f2f6bf0a36e8a7c2ceb278f3e48a2d21c06631c0 Mon Sep 17 00:00:00 2001 From: Mark Vanderwiel Date: Wed, 22 Oct 2014 15:18:37 -0500 Subject: [PATCH] OSSN-0039 Prevent POODLE attacks Allow SSL protocol attribute, default to only TLS. Change-Id: I58758e99ea1256aeefff27d441b0a527169829b5 Closes-Bug: #1384438 --- CHANGELOG.md | 1 + attributes/default.rb | 2 ++ spec/server_spec.rb | 15 +++++++++++++-- templates/default/dash-site.erb | 1 + 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a0d392..9e96685 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ This file is used to list changes made in each version of the openstack-dashboar * Bump Chef gem to 11.16 * Add sensitive flag to local_settings file resource * allow override of the temporary directory used for file uploads +* Set default to use only TLS for SSL. OpenStack security note OSSN-0039 ## 9.1 * python_packages database client attributes have been moved to the -common cookbook diff --git a/attributes/default.rb b/attributes/default.rb index 03a56dd..216e7bb 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -44,6 +44,8 @@ default['openstack']['dashboard']['ssl']['key_url'] = nil # they need to be manually set below, if not the conventional horizon.* names will be used. default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem' default['openstack']['dashboard']['ssl']['key'] = 'horizon.key' +# Which versions of the SSL/TLS protocol will be accepted in new connections. +default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3' # List of hosts/domains the dashboard can serve. This should be changed, a '*' # allows everything diff --git a/spec/server_spec.rb b/spec/server_spec.rb index 1062b06..20f2a9f 100644 --- a/spec/server_spec.rb +++ b/spec/server_spec.rb @@ -665,14 +665,25 @@ describe 'openstack-dashboard::server' do end end - it 'shows ssl certificate related directives' do + it 'shows ssl certificate related directives defaults' do + [/^\s*SSLEngine on$/, + %r(^\s*SSLCertificateFile /etc/ssl/certs/horizon.pem$), + %r(^\s*SSLCertificateKeyFile /etc/ssl/private/horizon.key$), + /^\s*SSLProtocol All -SSLv2 -SSLv3$/].each do |ssl_certificate_directive| + expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive) + end + end + + it 'shows ssl certificate related directives overrides' do node.set['openstack']['dashboard']['ssl']['dir'] = 'ssl_dir_value' node.set['openstack']['dashboard']['ssl']['cert'] = 'ssl_cert_value' node.set['openstack']['dashboard']['ssl']['key'] = 'ssl_key_value' + node.set['openstack']['dashboard']['ssl']['protocol'] = 'ssl_protocol_value' [/^\s*SSLEngine on$/, %r(^\s*SSLCertificateFile ssl_dir_value/certs/ssl_cert_value$), - %r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$)].each do |ssl_certificate_directive| + %r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$), + /^\s*SSLProtocol ssl_protocol_value$/].each do |ssl_certificate_directive| expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive) end end diff --git a/templates/default/dash-site.erb b/templates/default/dash-site.erb index 18f7b69..ae73ce2 100644 --- a/templates/default/dash-site.erb +++ b/templates/default/dash-site.erb @@ -58,6 +58,7 @@ NameVirtualHost *:<%= node['openstack']['dashboard']['https_port'].to_i%> SSLEngine on SSLCertificateFile <%= @ssl_cert_file %> SSLCertificateKeyFile <%= @ssl_key_file %> + SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %> <% end %> # Allow custom files to overlay the site (such as logo.png)