From 47db7ea2924973d1803c2f7dae894a3e3d6fff21 Mon Sep 17 00:00:00 2001 From: Timothy Chavez Date: Thu, 16 Oct 2014 11:37:17 -0500 Subject: [PATCH] Use the SSLProtocol blacklist approach It turns out that specifying the ciphers we want to use leads to breakage. So instead we'll explicitly tell Apache which ciphers we don't want to use. Change-Id: I0f8211533495a6a4340c01dadb8069ccf9be429c --- modules/cgit/templates/git.vhost.erb | 2 +- modules/etherpad_lite/templates/etherpadlite.vhost.erb | 2 +- modules/gerrit/templates/gerrit.vhost.erb | 2 +- modules/jenkins/templates/jenkins.vhost.erb | 2 +- modules/mediawiki/templates/apache/mediawiki.erb | 2 +- modules/openstackid/templates/vhost.erb | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/cgit/templates/git.vhost.erb b/modules/cgit/templates/git.vhost.erb index 09b8748b9d..1cde554ad8 100644 --- a/modules/cgit/templates/git.vhost.erb +++ b/modules/cgit/templates/git.vhost.erb @@ -60,7 +60,7 @@ CustomLog /var/log/httpd/git-access.log combined SSLEngine on - SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 + SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile <%= scope.lookupvar("cgit::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("cgit::ssl_key_file") %> diff --git a/modules/etherpad_lite/templates/etherpadlite.vhost.erb b/modules/etherpad_lite/templates/etherpadlite.vhost.erb index c42d19ee5f..b77aa10848 100644 --- a/modules/etherpad_lite/templates/etherpadlite.vhost.erb +++ b/modules/etherpad_lite/templates/etherpadlite.vhost.erb @@ -23,7 +23,7 @@ CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>-ssl-access.log combined SSLEngine on - SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 + SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile <%= scope.lookupvar("etherpad_lite::apache::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("etherpad_lite::apache::ssl_key_file") %> diff --git a/modules/gerrit/templates/gerrit.vhost.erb b/modules/gerrit/templates/gerrit.vhost.erb index eaca390fa6..2e1a48851f 100644 --- a/modules/gerrit/templates/gerrit.vhost.erb +++ b/modules/gerrit/templates/gerrit.vhost.erb @@ -24,7 +24,7 @@ CustomLog ${APACHE_LOG_DIR}/gerrit-ssl-access.log combined SSLEngine on - SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 + SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile <%= scope.lookupvar("gerrit::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("gerrit::ssl_key_file") %> diff --git a/modules/jenkins/templates/jenkins.vhost.erb b/modules/jenkins/templates/jenkins.vhost.erb index 69e6e4f18f..ef0f8ce717 100644 --- a/modules/jenkins/templates/jenkins.vhost.erb +++ b/modules/jenkins/templates/jenkins.vhost.erb @@ -22,7 +22,7 @@ CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("::jenkins::master::vhost_name") %>-ssl-access.log combined SSLEngine on - SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 + SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile <%= scope.lookupvar("::jenkins::master::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("::jenkins::master::ssl_key_file") %> diff --git a/modules/mediawiki/templates/apache/mediawiki.erb b/modules/mediawiki/templates/apache/mediawiki.erb index b1cd718069..92c01f46f9 100644 --- a/modules/mediawiki/templates/apache/mediawiki.erb +++ b/modules/mediawiki/templates/apache/mediawiki.erb @@ -39,7 +39,7 @@ ServerName <%= scope.lookupvar("mediawiki::site_hostname") %> SSLEngine on - SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 + SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile <%= scope.lookupvar("mediawiki::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("mediawiki::ssl_key_file") %> <% if scope.lookupvar("mediawiki::ssl_chain_file") != "" %> diff --git a/modules/openstackid/templates/vhost.erb b/modules/openstackid/templates/vhost.erb index 17cc096b74..f02169704c 100644 --- a/modules/openstackid/templates/vhost.erb +++ b/modules/openstackid/templates/vhost.erb @@ -19,7 +19,7 @@ CustomLog ${APACHE_LOG_DIR}/openstackid-ssl-access.log combined SSLEngine on - SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 + SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile <%= scope.lookupvar("openstackid::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("openstackid::ssl_key_file") %> <% if scope.lookupvar("openstackid::ssl_chain_file") != "" %>