Merge ~pjdc/ubuntu-mirror-charm/+git/ubuntu-mirror-charm:tls-versions-and-ciphersuite into ubuntu-mirror-charm:master

Proposed by Paul Collins
Status: Merged
Approved by: Haw Loeung
Approved revision: 3df94bc920bd385ff1af91813bf48a2409a04689
Merged at revision: 8859d2343f520e0442b44a9931d1e297b64218db
Proposed branch: ~pjdc/ubuntu-mirror-charm/+git/ubuntu-mirror-charm:tls-versions-and-ciphersuite
Merge into: ubuntu-mirror-charm:master
Diff against target: 109 lines (+25/-0)
7 files modified
hooks/hooks.py (+7/-0)
templates/apache-cdimage.tmpl (+3/-0)
templates/apache-cloud-images.tmpl (+3/-0)
templates/apache-ports.tmpl (+3/-0)
templates/apache-releases.tmpl (+3/-0)
templates/apache-simple-streams.tmpl (+3/-0)
templates/apache-ubuntu.tmpl (+3/-0)
Reviewer Review Type Date Requested Status
Haw Loeung +1 Approve
Canonical IS Reviewers Pending
Review via email: mp+381206@code.launchpad.net

Commit message

set tls (ssl) cipher suite and protocol versions to modern values

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Haw Loeung (hloeung) wrote :

LGTM

review: Approve (+1)
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 8859d2343f520e0442b44a9931d1e297b64218db

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/hooks/hooks.py b/hooks/hooks.py
2index 7e8af4f..9e9116e 100755
3--- a/hooks/hooks.py
4+++ b/hooks/hooks.py
5@@ -41,6 +41,12 @@ fqdn = socket.getfqdn()
6 execd_dir = os.path.join(charm_dir(), 'exec.d')
7 conf = Config()
8
9+apache_tls_settings = {
10+ 'ssl_cipher_suite': 'EECDH+AESGCM+AES128:EDH+AESGCM+AES128:EECDH+AES128:EDH+AES128:ECDH+AESGCM+AES128:aRSA+AESGCM+AES128:ECDH+AES128:DH+AES128:aRSA+AES128:EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:ECDH+AESGCM:aRSA+AESGCM:ECDH:DH:aRSA:HIGH:!MEDIUM:!aNULL:!NULL:!LOW:!3DES:!DSS:!EXP:!PSK:!SRP',
11+ 'ssl_honor_cipher_order': 'on',
12+ 'ssl_protocol': 'ALL -SSLv2 -SSLv3',
13+}
14+
15 required_pkgs = [
16 'apache2',
17 'xinetd',
18@@ -333,6 +339,7 @@ def configure_apache():
19 sites_available = os.path.join(available_dir, role + ".conf")
20 sites_enabled = os.path.join(enabled_dir, role + ".conf")
21 tmpl_data = mirror
22+ tmpl_data.update(apache_tls_settings)
23 tmpl_data["logdir"] = apache_logdir
24 tmpl_data["addresses"] = role_config.get('addresses', ['*'])
25 all_addresses.update(tmpl_data["addresses"])
26diff --git a/templates/apache-cdimage.tmpl b/templates/apache-cdimage.tmpl
27index ea841dc..dd8b9a4 100644
28--- a/templates/apache-cdimage.tmpl
29+++ b/templates/apache-cdimage.tmpl
30@@ -15,6 +15,9 @@ ${apache_early_extra}
31 SSLCertificateFile /etc/apache2/ssl/${name}.crt
32 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
33 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
34+ SSLCipherSuite ${ssl_cipher_suite}
35+ SSLHonorCipherOrder ${ssl_honor_cipher_order}
36+ SSLProtocol ${ssl_protocol}
37
38 #end if
39 DocumentRoot /srv/${name}/www
40diff --git a/templates/apache-cloud-images.tmpl b/templates/apache-cloud-images.tmpl
41index 04f11cc..541b1e4 100644
42--- a/templates/apache-cloud-images.tmpl
43+++ b/templates/apache-cloud-images.tmpl
44@@ -16,6 +16,9 @@ ${apache_early_extra}
45 SSLCertificateFile /etc/apache2/ssl/${name}.crt
46 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
47 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
48+ SSLCipherSuite ${ssl_cipher_suite}
49+ SSLHonorCipherOrder ${ssl_honor_cipher_order}
50+ SSLProtocol ${ssl_protocol}
51
52 #end if
53 DocumentRoot /srv/${name}/www
54diff --git a/templates/apache-ports.tmpl b/templates/apache-ports.tmpl
55index f24823e..654e7da 100644
56--- a/templates/apache-ports.tmpl
57+++ b/templates/apache-ports.tmpl
58@@ -15,6 +15,9 @@ ${apache_early_extra}
59 SSLCertificateFile /etc/apache2/ssl/${name}.crt
60 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
61 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
62+ SSLCipherSuite ${ssl_cipher_suite}
63+ SSLHonorCipherOrder ${ssl_honor_cipher_order}
64+ SSLProtocol ${ssl_protocol}
65
66 #end if
67 DocumentRoot /srv/${name}/www
68diff --git a/templates/apache-releases.tmpl b/templates/apache-releases.tmpl
69index aeae97c..b0c0a92 100644
70--- a/templates/apache-releases.tmpl
71+++ b/templates/apache-releases.tmpl
72@@ -16,6 +16,9 @@ ${apache_early_extra}
73 SSLCertificateFile /etc/apache2/ssl/${name}.crt
74 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
75 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
76+ SSLCipherSuite ${ssl_cipher_suite}
77+ SSLHonorCipherOrder ${ssl_honor_cipher_order}
78+ SSLProtocol ${ssl_protocol}
79
80 #end if
81 DocumentRoot /srv/${name}/www
82diff --git a/templates/apache-simple-streams.tmpl b/templates/apache-simple-streams.tmpl
83index 8e4b613..88d98a7 100644
84--- a/templates/apache-simple-streams.tmpl
85+++ b/templates/apache-simple-streams.tmpl
86@@ -16,6 +16,9 @@ ${apache_early_extra}
87 SSLCertificateFile /etc/apache2/ssl/${name}.crt
88 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
89 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
90+ SSLCipherSuite ${ssl_cipher_suite}
91+ SSLHonorCipherOrder ${ssl_honor_cipher_order}
92+ SSLProtocol ${ssl_protocol}
93
94 #end if
95 DocumentRoot /srv/${name}/www
96diff --git a/templates/apache-ubuntu.tmpl b/templates/apache-ubuntu.tmpl
97index 0887271..7dde1b8 100644
98--- a/templates/apache-ubuntu.tmpl
99+++ b/templates/apache-ubuntu.tmpl
100@@ -15,6 +15,9 @@ ${apache_early_extra}
101 SSLCertificateFile /etc/apache2/ssl/${name}.crt
102 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
103 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
104+ SSLCipherSuite ${ssl_cipher_suite}
105+ SSLHonorCipherOrder ${ssl_honor_cipher_order}
106+ SSLProtocol ${ssl_protocol}
107
108 #end if
109 DocumentRoot /srv/${name}/www

Subscribers

People subscribed via source and target branches