Content Cache Charm

Merge ~nick-moffitt/content-cache-charm:disable-old-tls into content-cache-charm:master

  1. Git
  2. lp:~nick-moffitt/content-cache-charm
  3. disable-old-tls
  4. Merge into master
Proposed by Nick Moffitt
Status: Merged
Approved by: Thomas Cuthbert
Approved revision: a5a0ebcdd1625b404a6db9b55907920ffe09b5ec
Merged at revision: 2e806fc01bec2b5c9cb077721091ad2d5f688a29
Proposed branch: ~nick-moffitt/content-cache-charm:disable-old-tls
Merge into: content-cache-charm:master
Diff against target: 76 lines (+18/-7)
4 files modified
reactive/content_cache.py (+15/-4)
templates/haproxy_cfg.tmpl (+1/-1)
tests/unit/files/content_cache_rendered_haproxy_test_output.txt (+1/-1)
tests/unit/files/haproxy_config_rendered_test_output.txt (+1/-1)
Reviewer Review Type Date Requested Status
Joel Sing (community) +1 Approve
Canonical IS Reviewers Pending
Review via email: mp+365473@code.launchpad.net

Commit message

Disable obsolete TLS versions

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Joel Sing (jsing) wrote :

LGTM

review: Approve (+1)
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 2e806fc01bec2b5c9cb077721091ad2d5f688a29

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/reactive/content_cache.py b/reactive/content_cache.py
2index 18a801a..e137694 100644
3--- a/reactive/content_cache.py
4+++ b/reactive/content_cache.py
5@@ -203,10 +203,6 @@ def configure_nagios():
6 url = 'http://{}'.format(site)
7 tls_cert_bundle_path = site_conf.get('tls-cert-bundle-path')
8 tls = ''
9- if tls_cert_bundle_path:
10- default_port = 443
11- url = 'https://{}'.format(site)
12- tls = ' -S --sni'
13 method = site_conf.get('backend-check-method', 'HEAD')
14 path = site_conf.get('backend-check-path', '/')
15 token = ''
16@@ -215,6 +211,21 @@ def configure_nagios():
17 expiry_time = datetime.datetime.now() + datetime.timedelta(days=3650)
18 token = '?token={}'.format(utils.generate_token(signed_url_hmac_key, path, expiry_time))
19
20+ if tls_cert_bundle_path:
21+ default_port = 443
22+ url = 'https://{}'.format(site)
23+ tls = ' --ssl=1.2 --sni'
24+
25+ # Negative Listen/frontend checks to alert on obsolete TLS versions
26+ for tlsrev in ('1', '1.1'):
27+ check_name = 'site_{}_no_tls_{}'.format(utils.generate_nagios_check_name(site),
28+ tlsrev.replace('.', '_'))
29+ cmd = '/usr/lib/nagios/plugins/negate' \
30+ ' /usr/lib/nagios/plugins/check_http -I 127.0.0.1 -H {site}' \
31+ ' -p {port} --ssl={tls} --sni -j {method} -u {url}{path}{token}' \
32+ .format(site=site, port=default_port, method=method, url=url, path=path, token=token, tls=tlsrev)
33+ nrpe_setup.add_check(check_name, '{} confirm obsolete TLS v{} denied'.format(site, tlsrev), cmd)
34+
35 # Listen / frontend check
36 check_name = 'site_{}_listen'.format(utils.generate_nagios_check_name(site))
37 cmd = '/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -H {site}' \
38diff --git a/templates/haproxy_cfg.tmpl b/templates/haproxy_cfg.tmpl
39index e6d367f..881beb1 100644
40--- a/templates/haproxy_cfg.tmpl
41+++ b/templates/haproxy_cfg.tmpl
42@@ -19,7 +19,7 @@ global
43 # An alternative list with additional directives can be obtained from
44 # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
45 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
46- ssl-default-bind-options no-sslv3
47+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
48
49 defaults
50 log global
51diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt
52index 1da4d50..e2ebce0 100644
53--- a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt
54+++ b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt
55@@ -19,7 +19,7 @@ global
56 # An alternative list with additional directives can be obtained from
57 # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
58 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
59- ssl-default-bind-options no-sslv3
60+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
61
62 defaults
63 log global
64diff --git a/tests/unit/files/haproxy_config_rendered_test_output.txt b/tests/unit/files/haproxy_config_rendered_test_output.txt
65index bf4db24..147b6ae 100644
66--- a/tests/unit/files/haproxy_config_rendered_test_output.txt
67+++ b/tests/unit/files/haproxy_config_rendered_test_output.txt
68@@ -19,7 +19,7 @@ global
69 # An alternative list with additional directives can be obtained from
70 # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
71 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
72- ssl-default-bind-options no-sslv3
73+ ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
74
75 defaults
76 log global

Subscribers

People subscribed via source and target branches