Force force-tlsv12 only

Secure by default

Change-Id: I61aaa82ac705a4cf6a082a149d78db85e0365706
This commit is contained in:
Matthew Thode 2018-12-17 09:51:34 -06:00
parent 0d44c7dca5
commit 1a9184e9c5
No known key found for this signature in database
GPG Key ID: 64A37BEAAE19A4E8
2 changed files with 8 additions and 1 deletions

View File

@ -208,7 +208,7 @@ horizon_wsgi_threads: "{{ [[ansible_processor_vcpus|default(2) // 2, 1] | max, h
horizon_ssl_cert: /etc/ssl/certs/horizon.pem horizon_ssl_cert: /etc/ssl/certs/horizon.pem
horizon_ssl_key: /etc/ssl/private/horizon.key horizon_ssl_key: /etc/ssl/private/horizon.key
horizon_ssl_ca_cert: /etc/ssl/certs/horizon-ca.pem horizon_ssl_ca_cert: /etc/ssl/certs/horizon-ca.pem
horizon_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}" horizon_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1.1') }}"
horizon_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" horizon_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it # if using a self-signed certificate, set this to true to regenerate it
horizon_ssl_self_signed_regen: false horizon_ssl_self_signed_regen: false

View File

@ -0,0 +1,7 @@
---
security:
- |
The default TLS version has been set to TLS1.2. This only allows
version 1.2 of the protocol to be used when terminating or creating TLS
connections. You can change the value with the horizon_ssl_protocol
variable.