commit 38b71fea0d25900415c1ae3b81b08fa6e296b586 Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Thu Nov 3 15:46:51 2016 +0100 Add ssl_protocols ssl_ciphers files/httpd/newvirtualhost.conf.j2 | 5 +- roles/koji_hub/files/koji-ssl.conf | 226 ------------------------------------ roles/koji_hub/tasks/main.yml | 2 +- vars/global.yml | 5 +- 4 files changed, 7 insertions(+), 231 deletions(-) --- diff --git a/files/httpd/newvirtualhost.conf.j2 b/files/httpd/newvirtualhost.conf.j2 index 18c7a2e..a00dd53 100644 --- a/files/httpd/newvirtualhost.conf.j2 +++ b/files/httpd/newvirtualhost.conf.j2 @@ -15,13 +15,12 @@ # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: - SSLProtocol all -SSLv2 + SSLProtocol {{ ssl_protocols }} # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW - SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + SSLCipherSuite {{ ssl_ciphers }} # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml index 258da56..81c23d5 100644 --- a/roles/koji_hub/tasks/main.yml +++ b/roles/koji_hub/tasks/main.yml @@ -255,7 +255,7 @@ when: env == "staging" - name: koji staging ssl config - copy: src=koji-ssl.conf.stg dest=/etc/httpd/conf.d/ssl.conf + template: src=koji-ssl.conf.stg dest=/etc/httpd/conf.d/ssl.conf tags: - config - koji_hub diff --git a/vars/global.yml b/vars/global.yml index 0510713..f889225 100644 --- a/vars/global.yml +++ b/vars/global.yml @@ -44,9 +44,12 @@ centos66_x86_64: CentOS-6-x86_64-GenericCloud-20141129_01 rhel70_x86_64: rhel-guest-image-7.0-20140930.0.x86_64 rhel66_x86_64: rhel-guest-image-6.6-20141222.0.x86_64 +ssl_protocols: "-All +TLSv1 +TLSv1.1 +TLSv1.2" +ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK" + # Set a default hostname base to transient. Override in host vars or command line. hostbase: transient -global_pkgs_inst: ['bind-utils', 'mailx', 'nc', 'openssh-clients', +global_pkgs_inst: ['bind-utils', 'mailx', 'nc', 'openssh-clients', 'patch', 'postfix', 'rsync', 'strace', 'tmpwatch', 'traceroute', 'vim-enhanced', 'xz', 'zsh', 'libselinux-python', 'ntpdate', 'bash-completion', 'telnet',