From e347a711537f0a58e52a858e121432743b026a72 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Tue, 14 Oct 2014 17:07:06 -0700 Subject: [PATCH] Use only TLSv1 and greater to depoodle The poodle SSLv3 vulnerability is a good reason to stop using SSLv3. Switch to TLS everywhere in our apache vhost configs. Change-Id: If7b18174253b6f185e029f97bfa77d8ad4941385 --- modules/cgit/templates/git.vhost.erb | 1 + modules/etherpad_lite/templates/etherpadlite.vhost.erb | 1 + modules/gerrit/templates/gerrit.vhost.erb | 1 + modules/jenkins/templates/jenkins.vhost.erb | 1 + modules/mediawiki/templates/apache/mediawiki.erb | 1 + modules/openstackid/templates/vhost.erb | 1 + 6 files changed, 6 insertions(+) diff --git a/modules/cgit/templates/git.vhost.erb b/modules/cgit/templates/git.vhost.erb index 6d77a56c0e..09b8748b9d 100644 --- a/modules/cgit/templates/git.vhost.erb +++ b/modules/cgit/templates/git.vhost.erb @@ -60,6 +60,7 @@ CustomLog /var/log/httpd/git-access.log combined SSLEngine on + SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 SSLCertificateFile <%= scope.lookupvar("cgit::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("cgit::ssl_key_file") %> diff --git a/modules/etherpad_lite/templates/etherpadlite.vhost.erb b/modules/etherpad_lite/templates/etherpadlite.vhost.erb index 97d05fa997..c42d19ee5f 100644 --- a/modules/etherpad_lite/templates/etherpadlite.vhost.erb +++ b/modules/etherpad_lite/templates/etherpadlite.vhost.erb @@ -23,6 +23,7 @@ CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>-ssl-access.log combined SSLEngine on + SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 SSLCertificateFile <%= scope.lookupvar("etherpad_lite::apache::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("etherpad_lite::apache::ssl_key_file") %> diff --git a/modules/gerrit/templates/gerrit.vhost.erb b/modules/gerrit/templates/gerrit.vhost.erb index 5ed6b90c20..eaca390fa6 100644 --- a/modules/gerrit/templates/gerrit.vhost.erb +++ b/modules/gerrit/templates/gerrit.vhost.erb @@ -24,6 +24,7 @@ CustomLog ${APACHE_LOG_DIR}/gerrit-ssl-access.log combined SSLEngine on + SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 SSLCertificateFile <%= scope.lookupvar("gerrit::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("gerrit::ssl_key_file") %> diff --git a/modules/jenkins/templates/jenkins.vhost.erb b/modules/jenkins/templates/jenkins.vhost.erb index e2b568cc63..69e6e4f18f 100644 --- a/modules/jenkins/templates/jenkins.vhost.erb +++ b/modules/jenkins/templates/jenkins.vhost.erb @@ -22,6 +22,7 @@ CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("::jenkins::master::vhost_name") %>-ssl-access.log combined SSLEngine on + SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 SSLCertificateFile <%= scope.lookupvar("::jenkins::master::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("::jenkins::master::ssl_key_file") %> diff --git a/modules/mediawiki/templates/apache/mediawiki.erb b/modules/mediawiki/templates/apache/mediawiki.erb index d8c7541a11..b1cd718069 100644 --- a/modules/mediawiki/templates/apache/mediawiki.erb +++ b/modules/mediawiki/templates/apache/mediawiki.erb @@ -39,6 +39,7 @@ ServerName <%= scope.lookupvar("mediawiki::site_hostname") %> SSLEngine on + SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 SSLCertificateFile <%= scope.lookupvar("mediawiki::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("mediawiki::ssl_key_file") %> <% if scope.lookupvar("mediawiki::ssl_chain_file") != "" %> diff --git a/modules/openstackid/templates/vhost.erb b/modules/openstackid/templates/vhost.erb index 5594b52241..17cc096b74 100644 --- a/modules/openstackid/templates/vhost.erb +++ b/modules/openstackid/templates/vhost.erb @@ -19,6 +19,7 @@ CustomLog ${APACHE_LOG_DIR}/openstackid-ssl-access.log combined SSLEngine on + SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 SSLCertificateFile <%= scope.lookupvar("openstackid::ssl_cert_file") %> SSLCertificateKeyFile <%= scope.lookupvar("openstackid::ssl_key_file") %> <% if scope.lookupvar("openstackid::ssl_chain_file") != "" %>