Force force-tlsv12 only

Code Issues Proposed changes

Secure by default
Change-Id: I71d4ba27c1cd3509fd99dbad0e7e7ff206f723f7

This commit is contained in:

Matthew Thode

2018年12月17日 09:53:04 -06:00

parent 24151682bd

commit 9ca27aad2f

2 changed files with 8 additions and 1 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml

View File

@@ -122,7 +122,7 @@ trove_ssl: false

trove_ssl_cert:/etc/ssl/certs/trove.pem

trove_ssl_key:/etc/ssl/private/trove.key

trove_ssl_ca_cert:/etc/ssl/certs/trove-ca.pem

trove_ssl_protocol:"{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"

trove_ssl_protocol:"{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}"

trove_ssl_cipher_suite:"{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"

# if using a self-signed certificate, set this to true to regenerate it

7
releasenotes/notes/tls12-only-d7221a33188dc7a0.yaml Normal file

View File

@@ -0,0 +1,7 @@

---

security:

- |

The default TLS version has been set to TLS1.2. This only allows

version 1.2 of the protocol to be used when terminating or creating TLS

connections. You can change the value with the trove_ssl_protocol

variable.