Use the SSLProtocol blacklist approach

It turns out that specifying the ciphers we want to use leads to breakage. So instead we'll explicitly tell Apache which ciphers we don't want to use. Change-Id: I0f8211533495a6a4340c01dadb8069ccf9be429c
2014-10-16 11:37:17 -05:00 · 2014-10-16 11:37:17 -05:00 · 47db7ea292
commit 47db7ea292
parent 2783a56a16
6 changed files with 6 additions and 6 deletions
--- a/modules/cgit/templates/git.vhost.erb
+++ b/modules/cgit/templates/git.vhost.erb
@ -60,7 +60,7 @@
  CustomLog /var/log/httpd/git-access.log combined

  SSLEngine on
-  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLProtocol All -SSLv2 -SSLv3

  SSLCertificateFile      <%= scope.lookupvar("cgit::ssl_cert_file") %>
  SSLCertificateKeyFile   <%= scope.lookupvar("cgit::ssl_key_file") %>
--- a/modules/etherpad_lite/templates/etherpadlite.vhost.erb
+++ b/modules/etherpad_lite/templates/etherpadlite.vhost.erb
@ -23,7 +23,7 @@
  CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>-ssl-access.log combined

  SSLEngine on
-  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLProtocol All -SSLv2 -SSLv3

  SSLCertificateFile      <%= scope.lookupvar("etherpad_lite::apache::ssl_cert_file") %>
  SSLCertificateKeyFile   <%= scope.lookupvar("etherpad_lite::apache::ssl_key_file") %>
--- a/modules/gerrit/templates/gerrit.vhost.erb
+++ b/modules/gerrit/templates/gerrit.vhost.erb
@ -24,7 +24,7 @@
  CustomLog ${APACHE_LOG_DIR}/gerrit-ssl-access.log combined

  SSLEngine on
-  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLProtocol All -SSLv2 -SSLv3

  SSLCertificateFile      <%= scope.lookupvar("gerrit::ssl_cert_file") %>
  SSLCertificateKeyFile   <%= scope.lookupvar("gerrit::ssl_key_file") %>
--- a/modules/jenkins/templates/jenkins.vhost.erb
+++ b/modules/jenkins/templates/jenkins.vhost.erb
@ -22,7 +22,7 @@
             CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("::jenkins::master::vhost_name") %>-ssl-access.log combined

             SSLEngine on
-             SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
+             SSLProtocol All -SSLv2 -SSLv3

             SSLCertificateFile      <%= scope.lookupvar("::jenkins::master::ssl_cert_file") %>
             SSLCertificateKeyFile   <%= scope.lookupvar("::jenkins::master::ssl_key_file") %>
--- a/modules/mediawiki/templates/apache/mediawiki.erb
+++ b/modules/mediawiki/templates/apache/mediawiki.erb
@ -39,7 +39,7 @@
        ServerName <%= scope.lookupvar("mediawiki::site_hostname") %>

        SSLEngine on
-        SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
+        SSLProtocol All -SSLv2 -SSLv3
        SSLCertificateFile      <%= scope.lookupvar("mediawiki::ssl_cert_file") %>
        SSLCertificateKeyFile   <%= scope.lookupvar("mediawiki::ssl_key_file") %>
        <% if scope.lookupvar("mediawiki::ssl_chain_file") != "" %>
--- a/modules/openstackid/templates/vhost.erb
+++ b/modules/openstackid/templates/vhost.erb
@ -19,7 +19,7 @@
  CustomLog ${APACHE_LOG_DIR}/openstackid-ssl-access.log combined

  SSLEngine on
-  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLProtocol All -SSLv2 -SSLv3
  SSLCertificateFile      <%= scope.lookupvar("openstackid::ssl_cert_file") %>
  SSLCertificateKeyFile   <%= scope.lookupvar("openstackid::ssl_key_file") %>
 <% if scope.lookupvar("openstackid::ssl_chain_file") != "" %>