Merge "Force force-tlsv12 only"

This commit is contained in:
Zuul 2018-12-23 00:52:45 +00:00 committed by Gerrit Code Review
commit e9a680bfa7
2 changed files with 7 additions and 1 deletions

View File

@ -16,6 +16,6 @@
## SSL ## SSL
# These do not need to be configured unless you're creating certificates for # These do not need to be configured unless you're creating certificates for
# services running behind Apache (currently, Horizon and Keystone). # services running behind Apache (currently, Horizon and Keystone).
ssl_protocol: "ALL -SSLv2 -SSLv3" ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1"
# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS" ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"

View File

@ -0,0 +1,6 @@
---
security:
- |
The default TLS version has been set to TLS1.2. This only allows
version 1.2 of the protocol to be used when terminating or creating TLS
connections. You can change the value with the ssl_protocol variable.