OSSN-0039 Prevent POODLE attacks
Allow SSL protocol attribute, default to only TLS. Change-Id: I58758e99ea1256aeefff27d441b0a527169829b5 Closes-Bug: #1384438
This commit is contained in:
parent
81125daae5
commit
f2f6bf0a36
|
@ -17,6 +17,7 @@ This file is used to list changes made in each version of the openstack-dashboar
|
||||||
* Bump Chef gem to 11.16
|
* Bump Chef gem to 11.16
|
||||||
* Add sensitive flag to local_settings file resource
|
* Add sensitive flag to local_settings file resource
|
||||||
* allow override of the temporary directory used for file uploads
|
* allow override of the temporary directory used for file uploads
|
||||||
|
* Set default to use only TLS for SSL. OpenStack security note OSSN-0039
|
||||||
|
|
||||||
## 9.1
|
## 9.1
|
||||||
* python_packages database client attributes have been moved to the -common cookbook
|
* python_packages database client attributes have been moved to the -common cookbook
|
||||||
|
|
|
@ -44,6 +44,8 @@ default['openstack']['dashboard']['ssl']['key_url'] = nil
|
||||||
# they need to be manually set below, if not the conventional horizon.* names will be used.
|
# they need to be manually set below, if not the conventional horizon.* names will be used.
|
||||||
default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem'
|
default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem'
|
||||||
default['openstack']['dashboard']['ssl']['key'] = 'horizon.key'
|
default['openstack']['dashboard']['ssl']['key'] = 'horizon.key'
|
||||||
|
# Which versions of the SSL/TLS protocol will be accepted in new connections.
|
||||||
|
default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
|
||||||
|
|
||||||
# List of hosts/domains the dashboard can serve. This should be changed, a '*'
|
# List of hosts/domains the dashboard can serve. This should be changed, a '*'
|
||||||
# allows everything
|
# allows everything
|
||||||
|
|
|
@ -665,14 +665,25 @@ describe 'openstack-dashboard::server' do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'shows ssl certificate related directives' do
|
it 'shows ssl certificate related directives defaults' do
|
||||||
|
[/^\s*SSLEngine on$/,
|
||||||
|
%r(^\s*SSLCertificateFile /etc/ssl/certs/horizon.pem$),
|
||||||
|
%r(^\s*SSLCertificateKeyFile /etc/ssl/private/horizon.key$),
|
||||||
|
/^\s*SSLProtocol All -SSLv2 -SSLv3$/].each do |ssl_certificate_directive|
|
||||||
|
expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'shows ssl certificate related directives overrides' do
|
||||||
node.set['openstack']['dashboard']['ssl']['dir'] = 'ssl_dir_value'
|
node.set['openstack']['dashboard']['ssl']['dir'] = 'ssl_dir_value'
|
||||||
node.set['openstack']['dashboard']['ssl']['cert'] = 'ssl_cert_value'
|
node.set['openstack']['dashboard']['ssl']['cert'] = 'ssl_cert_value'
|
||||||
node.set['openstack']['dashboard']['ssl']['key'] = 'ssl_key_value'
|
node.set['openstack']['dashboard']['ssl']['key'] = 'ssl_key_value'
|
||||||
|
node.set['openstack']['dashboard']['ssl']['protocol'] = 'ssl_protocol_value'
|
||||||
|
|
||||||
[/^\s*SSLEngine on$/,
|
[/^\s*SSLEngine on$/,
|
||||||
%r(^\s*SSLCertificateFile ssl_dir_value/certs/ssl_cert_value$),
|
%r(^\s*SSLCertificateFile ssl_dir_value/certs/ssl_cert_value$),
|
||||||
%r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$)].each do |ssl_certificate_directive|
|
%r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$),
|
||||||
|
/^\s*SSLProtocol ssl_protocol_value$/].each do |ssl_certificate_directive|
|
||||||
expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive)
|
expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -58,6 +58,7 @@ NameVirtualHost *:<%= node['openstack']['dashboard']['https_port'].to_i%>
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
SSLCertificateFile <%= @ssl_cert_file %>
|
SSLCertificateFile <%= @ssl_cert_file %>
|
||||||
SSLCertificateKeyFile <%= @ssl_key_file %>
|
SSLCertificateKeyFile <%= @ssl_key_file %>
|
||||||
|
SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %>
|
||||||
<% end %>
|
<% end %>
|
||||||
|
|
||||||
# Allow custom files to overlay the site (such as logo.png)
|
# Allow custom files to overlay the site (such as logo.png)
|
||||||
|
|
Loading…
Reference in New Issue