Force force-tlsv12 only

Secure by default

Change-Id: I8e1e26291be2a5d2b3153a853c21965d54eac3e9
This commit is contained in:
Matthew Thode 2018-12-06 10:21:51 -06:00
parent 0f85a714fd
commit 599727704a
No known key found for this signature in database
GPG Key ID: 64A37BEAAE19A4E8
2 changed files with 8 additions and 1 deletions

View File

@ -244,7 +244,7 @@ keystone_ssl: false
keystone_ssl_cert: /etc/ssl/certs/keystone.pem keystone_ssl_cert: /etc/ssl/certs/keystone.pem
keystone_ssl_key: /etc/ssl/private/keystone.key keystone_ssl_key: /etc/ssl/private/keystone.key
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1 TLSv1.1 TLSv1.2', 'ALL -SSLv2 -SSLv3') }}" keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1.2', 'ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}"
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it # if using a self-signed certificate, set this to true to regenerate it

View File

@ -0,0 +1,7 @@
---
security:
- |
The default TLS verion has been set to TLS1.2. This only allows
version 1.2 of the protocol to be used when terminating or creating TLS
connections. You can change the value with the keystone_ssl_protocol
variable.