search

blueboxgroup / ursula

Ansible playbooks for operating OpenStack - Powering Blue Box Cloud.
https://www.blueboxcloud.com
204 stars 5 forks source link

Add ssl config to limit TLS versions #2955

Closed twaldrop closed 6 years ago

bbc-jenkins commented 6 years ago

Build triggered. sha1 is merged.

bbc-jenkins commented 6 years ago

Build started sha1 is merged.

bbc-jenkins commented 6 years ago

Build finished.

bbc-jenkins commented 6 years ago

Build triggered. sha1 is merged.

bbc-jenkins commented 6 years ago

Build started sha1 is merged.

bbc-jenkins commented 6 years ago

Build triggered. sha1 is merged.

bbc-jenkins commented 6 years ago

Build started sha1 is merged.

bbc-jenkins commented 6 years ago

Build finished.

bbc-jenkins commented 6 years ago

Build finished.

twaldrop commented 6 years ago

retest

bbc-jenkins commented 6 years ago

Build triggered. sha1 is merged.

bbc-jenkins commented 6 years ago

Build started sha1 is merged.

bbc-jenkins commented 6 years ago

Build finished.

bbc-jenkins commented 6 years ago

Build triggered. sha1 is merged.

bbc-jenkins commented 6 years ago

Build started sha1 is merged.

bbc-jenkins commented 6 years ago

Build finished.

bbc-jenkins commented 6 years ago

Build triggered. sha1 is merged.

bbc-jenkins commented 6 years ago

Build started sha1 is merged.

bbc-jenkins commented 6 years ago

Build finished.

bbc-jenkins commented 6 years ago

Build triggered. sha1 is merged.

bbc-jenkins commented 6 years ago

Build started sha1 is merged.

bbc-jenkins commented 6 years ago

Build triggered. sha1 is merged.

bbc-jenkins commented 6 years ago

Build started sha1 is merged.

bbc-jenkins commented 6 years ago

Build finished.

bbc-jenkins commented 6 years ago

Build finished.

bbc-jenkins commented 6 years ago

Build triggered. sha1 is merged.

bbc-jenkins commented 6 years ago

Build started sha1 is merged.

bbc-jenkins commented 6 years ago

Build finished.

pgraziano commented 6 years ago

From what I found, ssl protocols have to be disabled in /etc/haproxy/haproxy.cfg which is terminating the SSL connection. SSLv3 is already disabled there. To also disable TLSv1.0 and TLSv1.1 you just need to change all the bind lines in haproxy.cfg as follows:

-  bind :::5000 ssl crt /etc/haproxy/openstack.pem no-sslv3 ciphers AES128-SHA:AES256-SHA
+  bind :::5000 ssl crt /etc/haproxy/openstack.pem no-sslv3 no-tlsv10 no-tlsv11 ciphers AES128-SHA:AES256-SHA

I verified that doing this did in fact disable TLSv1.0 and TLSv1.1. You can check if TLS v1.0, v1.1 and v1.2 are enabled or not by running the following commands, respectively:

openssl s_client -connect HOSTNAME:443 -tls1
openssl s_client -connect HOSTNAME:443 -tls1_1
openssl s_client -connect HOSTNAME:443 -tls1_2
bbc-jenkins commented 6 years ago

Build triggered. sha1 is merged.

bbc-jenkins commented 6 years ago

Build started sha1 is merged.

bbc-jenkins commented 6 years ago

Build finished.

twaldrop commented 6 years ago

retest

bbc-jenkins commented 6 years ago

Build triggered. sha1 is merged.

bbc-jenkins commented 6 years ago

Build started sha1 is merged.

bbc-jenkins commented 6 years ago

Build finished.