Adjust default configuration to support TLS v1.3
This adds a new variable to manage TLS v1.3 cipher suites. The old variable for TLS v1.2 and below ciphers is renamed for consistency, but is still supported as a default where overridden by deployments. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943 Change-Id: Ib43d465c8fa24ec7d14174ecc17bce0b3e8bd7a4
This commit is contained in:
parent
9b8cdbc525
commit
32e332b329
@ -211,8 +211,11 @@ horizon_wsgi_threads: "{{ [[ansible_facts['processor_vcpus']|default(2) // 2, 1]
|
|||||||
horizon_ssl_cert: /etc/ssl/certs/horizon.pem
|
horizon_ssl_cert: /etc/ssl/certs/horizon.pem
|
||||||
horizon_ssl_key: /etc/ssl/private/horizon.key
|
horizon_ssl_key: /etc/ssl/private/horizon.key
|
||||||
horizon_ssl_ca_cert: /etc/ssl/certs/horizon-ca.pem
|
horizon_ssl_ca_cert: /etc/ssl/certs/horizon-ca.pem
|
||||||
horizon_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1.1') }}"
|
horizon_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
|
||||||
horizon_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
# TLS v1.2 and below
|
||||||
|
horizon_ssl_cipher_suite_tls12: "{{ horizon_ssl_cipher_suite | default(ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS')) }}"
|
||||||
|
# TLS v1.3
|
||||||
|
horizon_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
|
||||||
# if using a self-signed certificate, set this to true to regenerate it
|
# if using a self-signed certificate, set this to true to regenerate it
|
||||||
horizon_ssl_self_signed_regen: false
|
horizon_ssl_self_signed_regen: false
|
||||||
horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizon_server_name }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizon_server_name }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
||||||
|
6
releasenotes/notes/tls_variables-ab6684a5a5505068.yaml
Normal file
6
releasenotes/notes/tls_variables-ab6684a5a5505068.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
The variable 'horizon_ssl_cipher_suite' is deprecated in favour of
|
||||||
|
'horizon_ssl_cipher_suite_tls12' which will continue to manage
|
||||||
|
configuration of ciphers for TLS v1.2 and earlier.
|
@ -30,7 +30,12 @@
|
|||||||
SSLCompression Off
|
SSLCompression Off
|
||||||
SSLProtocol {{ horizon_ssl_protocol }}
|
SSLProtocol {{ horizon_ssl_protocol }}
|
||||||
SSLHonorCipherOrder On
|
SSLHonorCipherOrder On
|
||||||
SSLCipherSuite {{ horizon_ssl_cipher_suite }}
|
{% if horizon_ssl_cipher_suite_tls12 != "" -%}
|
||||||
|
SSLCipherSuite {{ horizon_ssl_cipher_suite_tls12 }}
|
||||||
|
{% endif -%}
|
||||||
|
{% if horizon_ssl_cipher_suite_tls13 != "" -%}
|
||||||
|
SSLCipherSuite TLSv1.3 {{ horizon_ssl_cipher_suite_tls13 }}
|
||||||
|
{% endif -%}
|
||||||
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
|
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
|
{% if (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
|
||||||
|
Loading…
Reference in New Issue
Block a user