diff --git a/chef/cookbooks/horizon/attributes/default.rb b/chef/cookbooks/horizon/attributes/default.rb index 38808b0654..5d76d7e8e9 100644 --- a/chef/cookbooks/horizon/attributes/default.rb +++ b/chef/cookbooks/horizon/attributes/default.rb @@ -33,6 +33,7 @@ default[:horizon][:policy_file][:neutron_fwaas] = "neutron-fwaas-policy.json" default[:horizon][:apache][:ssl] = false +default[:horizon][:apache][:ssl_protocol] = "all -SSLv3" default[:horizon][:apache][:ssl_crt_file] = "/etc/apache2/ssl.crt/openstack-dashboard-server.crt" default[:horizon][:apache][:ssl_key_file] = "/etc/apache2/ssl.key/openstack-dashboard-server.key" default[:horizon][:apache][:generate_certs] = false diff --git a/chef/cookbooks/horizon/recipes/server.rb b/chef/cookbooks/horizon/recipes/server.rb index e1e87c7157..e5914f5104 100644 --- a/chef/cookbooks/horizon/recipes/server.rb +++ b/chef/cookbooks/horizon/recipes/server.rb @@ -564,6 +564,7 @@ user: node[:apache][:user], group: node[:apache][:group], use_ssl: node[:horizon][:apache][:ssl], + ssl_protocol: node[:horizon][:apache][:ssl_protocol], ssl_crt_file: node[:horizon][:apache][:ssl_crt_file], ssl_key_file: node[:horizon][:apache][:ssl_key_file], ssl_crt_chain_file: node[:horizon][:apache][:ssl_crt_chain_file], diff --git a/chef/cookbooks/horizon/templates/suse/openstack-dashboard.conf.erb b/chef/cookbooks/horizon/templates/suse/openstack-dashboard.conf.erb index dec550afef..86a40b68af 100644 --- a/chef/cookbooks/horizon/templates/suse/openstack-dashboard.conf.erb +++ b/chef/cookbooks/horizon/templates/suse/openstack-dashboard.conf.erb @@ -55,7 +55,7 @@ Listen <%= @bind_host %>:<%= @bind_port_ssl %> :<%= @bind_port_ssl %>> SSLEngine On SSLCipherSuite DEFAULT_SUSE - SSLProtocol all -SSLv2 -SSLv3 + SSLProtocol <%= @ssl_protocol %> # Prevent plaintext downgrade for 180 days Header always set Strict-Transport-Security "max-age=15552000" SSLCertificateFile <%= @ssl_crt_file %> diff --git a/chef/data_bags/crowbar/migrate/horizon/303_add_ssl_protocol.rb b/chef/data_bags/crowbar/migrate/horizon/303_add_ssl_protocol.rb new file mode 100644 index 0000000000..3497a6dae0 --- /dev/null +++ b/chef/data_bags/crowbar/migrate/horizon/303_add_ssl_protocol.rb @@ -0,0 +1,11 @@ +def upgrade(template_attrs, template_deployment, attrs, deployment) + unless attrs["apache"].key? "ssl_protocol" + attrs["apache"]["ssl_protocol"] = template_attrs["apache"]["ssl_protocol"] + return attrs, deployment +end + +def downgrade(template_attrs, template_deployment, attrs, deployment) + unless template_attrs["apache"].key? "ssl_protocol" + attrs["apache"].delete("ssl_protocol") + return attrs, deployment +end diff --git a/chef/data_bags/crowbar/template-horizon.json b/chef/data_bags/crowbar/template-horizon.json index e364f423c4..bf8cf43638 100644 --- a/chef/data_bags/crowbar/template-horizon.json +++ b/chef/data_bags/crowbar/template-horizon.json @@ -36,6 +36,7 @@ "apache": { "ssl": false, "generate_certs": false, + "ssl_protocol": "all -SSLv3", "ssl_crt_file": "/etc/apache2/ssl.crt/openstack-dashboard-server.crt", "ssl_key_file": "/etc/apache2/ssl.key/openstack-dashboard-server.key", "ssl_crt_chain_file": "" @@ -52,7 +53,7 @@ "horizon": { "crowbar-revision": 0, "crowbar-applied": false, - "schema-revision": 302, + "schema-revision": 303, "element_states": { "horizon-server": [ "readying", "ready", "applying" ] }, diff --git a/chef/data_bags/crowbar/template-horizon.schema b/chef/data_bags/crowbar/template-horizon.schema index 027102a7d6..f4266f55bb 100644 --- a/chef/data_bags/crowbar/template-horizon.schema +++ b/chef/data_bags/crowbar/template-horizon.schema @@ -60,6 +60,7 @@ "mapping": { "ssl": { "type": "bool", "required": true }, "generate_certs": { "type": "bool", "required": true }, + "ssl_protocol": { "type": "str" }, "ssl_crt_file": { "type": "str" }, "ssl_key_file": { "type": "str" }, "ssl_crt_chain_file": { "type": "str" }