Use only TLSv1 and greater to depoodle

The poodle SSLv3 vulnerability is a good reason to stop using SSLv3. Switch to TLS everywhere in our apache vhost configs. Change-Id: If7b18174253b6f185e029f97bfa77d8ad4941385
2014-10-14 17:07:06 -07:00 · 2014-10-14 17:07:06 -07:00 · e347a71153
commit e347a71153
parent e86cd862c8
6 changed files with 6 additions and 0 deletions
--- a/modules/cgit/templates/git.vhost.erb
+++ b/modules/cgit/templates/git.vhost.erb
@ -60,6 +60,7 @@
  CustomLog /var/log/httpd/git-access.log combined

  SSLEngine on
+  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

  SSLCertificateFile      <%= scope.lookupvar("cgit::ssl_cert_file") %>
  SSLCertificateKeyFile   <%= scope.lookupvar("cgit::ssl_key_file") %>
--- a/modules/etherpad_lite/templates/etherpadlite.vhost.erb
+++ b/modules/etherpad_lite/templates/etherpadlite.vhost.erb
@ -23,6 +23,7 @@
  CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>-ssl-access.log combined

  SSLEngine on
+  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

  SSLCertificateFile      <%= scope.lookupvar("etherpad_lite::apache::ssl_cert_file") %>
  SSLCertificateKeyFile   <%= scope.lookupvar("etherpad_lite::apache::ssl_key_file") %>
--- a/modules/gerrit/templates/gerrit.vhost.erb
+++ b/modules/gerrit/templates/gerrit.vhost.erb
@ -24,6 +24,7 @@
  CustomLog ${APACHE_LOG_DIR}/gerrit-ssl-access.log combined

  SSLEngine on
+  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

  SSLCertificateFile      <%= scope.lookupvar("gerrit::ssl_cert_file") %>
  SSLCertificateKeyFile   <%= scope.lookupvar("gerrit::ssl_key_file") %>
--- a/modules/jenkins/templates/jenkins.vhost.erb
+++ b/modules/jenkins/templates/jenkins.vhost.erb
@ -22,6 +22,7 @@
             CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("::jenkins::master::vhost_name") %>-ssl-access.log combined

             SSLEngine on
+             SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

             SSLCertificateFile      <%= scope.lookupvar("::jenkins::master::ssl_cert_file") %>
             SSLCertificateKeyFile   <%= scope.lookupvar("::jenkins::master::ssl_key_file") %>
--- a/modules/mediawiki/templates/apache/mediawiki.erb
+++ b/modules/mediawiki/templates/apache/mediawiki.erb
@ -39,6 +39,7 @@
        ServerName <%= scope.lookupvar("mediawiki::site_hostname") %>

        SSLEngine on
+        SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
        SSLCertificateFile      <%= scope.lookupvar("mediawiki::ssl_cert_file") %>
        SSLCertificateKeyFile   <%= scope.lookupvar("mediawiki::ssl_key_file") %>
        <% if scope.lookupvar("mediawiki::ssl_chain_file") != "" %>
--- a/modules/openstackid/templates/vhost.erb
+++ b/modules/openstackid/templates/vhost.erb
@ -19,6 +19,7 @@
  CustomLog ${APACHE_LOG_DIR}/openstackid-ssl-access.log combined

  SSLEngine on
+  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
  SSLCertificateFile      <%= scope.lookupvar("openstackid::ssl_cert_file") %>
  SSLCertificateKeyFile   <%= scope.lookupvar("openstackid::ssl_key_file") %>
 <% if scope.lookupvar("openstackid::ssl_chain_file") != "" %>