Add defaults for TLS 1.3 and rename TLS <= 1.2 variable

TLS v1.3 uses different (incompatible) cipher suite names, so
a new variable is added to set these in roles which require them.

TLS v1.2 and below is still required, but the variable name is
changed to avoid confusion, whilst using the old name as a default
if set by a user deployment.

Change-Id: I9312daa7ca75e484f8aa3857fe43565c89e3f09a
This commit is contained in:
Andrew Bonney 2022-01-10 08:14:09 +00:00
parent b018162d37
commit 0d74b74bfc
2 changed files with 13 additions and 2 deletions

View File

@ -18,7 +18,8 @@
# services running behind Apache (currently, Horizon and Keystone). # services running behind Apache (currently, Horizon and Keystone).
ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS" ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
ssl_cipher_suite_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
#variables used in OSA roles which call the PKI role #variables used in OSA roles which call the PKI role
openstack_pki_dir: "/etc/openstack_deploy/pki" openstack_pki_dir: "/etc/openstack_deploy/pki"
@ -63,4 +64,4 @@ openstack_pki_authorities:
#install the root CA certificate on all hosts and containers #install the root CA certificate on all hosts and containers
openstack_pki_install_ca: openstack_pki_install_ca:
- name: "ExampleCorpRoot" - name: "ExampleCorpRoot"

View File

@ -0,0 +1,10 @@
---
features:
- |
A new 'ssl_cipher_suite_tls13' variable is added for global control of
TLS v1.3 cipher suites.
deprecations:
- |
The variable 'ssl_cipher_suite' is deprecated in favour of
'ssl_cipher_suite_tls12' which will continue to manage configuration of
ciphers for TLS v1.2 and earlier.