openstack/openstack-ansible-os_trove
Code Issues Proposed changes

Remove 3DES from trove_ssl_cipher_suite

Browse Source 
Triple-DES is a vulnerable cipher and should be disabled by default.

https://sweet32.info/
https://www.openssl.org/blog/blog/2016/08/24/sweet32/

Change-Id: Id2d22e4dafb6bf34add554a5346ead5a9552e828
This commit is contained in:
Jimmy McCrory 2017-02-09 17:44:34 -08:00
parent 8575a5f1bb
commit b66094ee9e
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -96,7 +96,7 @@ trove_ssl_cert: /etc/ssl/certs/trove.pem
trove_ssl_key: /etc/ssl/private/trove.key
trove_ssl_ca_cert: /etc/ssl/certs/trove-ca.pem
trove_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
trove_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS') }}"
trove_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it
trove_ssl_self_signed_regen: false