From 63682ef211b26b05ce58e50e14166ac09169dafc Mon Sep 17 00:00:00 2001
From: Ian Cordasco <ian.cordasco@rackspace.com>
Date: Wed, 8 Apr 2015 17:12:37 -0500
Subject: [PATCH] Genericize how we update SSL settings for Apache

In I4456bc1a0056da051947977a26dd6d57c549e421 we hardened Keystone's
Apache SSL settings. In order to keep all Apache SSL settings uniformly
configured, we also need to update Horizon's settings and centralize
where we define the cipher suite that the server supports and the
preferred protocol versions.

We also explicitly disable SSLCompression even though we tend to only
test against versions of Apache that have this off by default. If
someone uses a version after 2.2.24 or uses 2.4.3, they would otherwise
have to explicitly turn this off. Preferring security by default, we
disable it explicitly to prevent insecure installations anywhere.

We also document how users can override specific service SSL settings in
the event one service needs to support older clients that require
certain protocols or ciphers. For example, it's very plausible that an
organization may need to enable RC4 and SSLv3 for Horizon since their
users are still using XP and an old version of Internet Explorer.

Related-Bug: 1437481
Change-Id: I85843452935710083253847d6e11f85e9d6d2e84
---
 defaults/main.yml                | 5 ++---
 templates/keystone-httpd.conf.j2 | 2 ++
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 54cd1885..6ac5e89e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -111,9 +111,8 @@ keystone_ssl_enabled: false
 keystone_ssl_cert: /etc/ssl/certs/apache.cert
 keystone_ssl_key: /etc/ssl/private/apache.key
 keystone_ssl_cert_path: /etc/ssl/certs
-keystone_ssl_protocol: "ALL -SSLv2 -SSLv3"
-# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-keystone_ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+keystone_ssl_protocol: "{{ ssl_protocol }}"
+keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
 
 ## Caching
 # If set this will enable dog pile cache for keystone.
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index 4597623e..a5fc9ed4 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -18,6 +18,7 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
     SSLCARevocationPath   {{ keystone_ssl_cert_path }}
     SSLVerifyClient optional
     SSLVerifyDepth 10
+    SSLCompression Off
     SSLProtocol {{ keystone_ssl_protocol }}
     SSLHonorCipherOrder On
     SSLCipherSuite {{ keystone_ssl_cipher_suite }}
@@ -42,6 +43,7 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
     SSLCARevocationPath   {{ keystone_ssl_cert_path }}
     SSLVerifyClient optional
     SSLVerifyDepth 10
+    SSLCompression Off
     SSLProtocol {{ keystone_ssl_protocol }}
     SSLHonorCipherOrder On
     SSLCipherSuite {{ keystone_ssl_cipher_suite }}