Ubuntu Mirror Charm

Merge ~pjdc/ubuntu-mirror-charm/+git/ubuntu-mirror-charm:tls-versions-and-ciphersuite into ubuntu-mirror-charm:master

  1. Git
  2. lp:~pjdc/ubuntu-mirror-charm/+git/ubuntu-mirror-charm
  3. tls-versions-and-ciphersuite
  4. Merge into master
Proposed by Paul Collins
Status: Merged
Approved by: Haw Loeung
Approved revision: 3df94bc920bd385ff1af91813bf48a2409a04689
Merged at revision: 8859d2343f520e0442b44a9931d1e297b64218db
Proposed branch: ~pjdc/ubuntu-mirror-charm/+git/ubuntu-mirror-charm:tls-versions-and-ciphersuite
Merge into: ubuntu-mirror-charm:master
Diff against target: 109 lines (+25/-0)
7 files modified
hooks/hooks.py (+7/-0)
templates/apache-cdimage.tmpl (+3/-0)
templates/apache-cloud-images.tmpl (+3/-0)
templates/apache-ports.tmpl (+3/-0)
templates/apache-releases.tmpl (+3/-0)
templates/apache-simple-streams.tmpl (+3/-0)
templates/apache-ubuntu.tmpl (+3/-0)
Reviewer Review Type Date Requested Status
Haw Loeung +1 Approve
Canonical IS Reviewers Pending
Review via email: mp+381206@code.launchpad.net

Commit message

set tls (ssl) cipher suite and protocol versions to modern values

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Haw Loeung (hloeung) wrote :

LGTM

review: Approve (+1)
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 8859d2343f520e0442b44a9931d1e297b64218db

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/hooks/hooks.py b/hooks/hooks.py
index 7e8af4f..9e9116e 100755
--- a/hooks/hooks.py
+++ b/hooks/hooks.py
@@ -41,6 +41,12 @@ fqdn = socket.getfqdn()
41execd_dir = os.path.join(charm_dir(), 'exec.d')41execd_dir = os.path.join(charm_dir(), 'exec.d')
42conf = Config()42conf = Config()
4343
44apache_tls_settings = {
45 'ssl_cipher_suite': 'EECDH+AESGCM+AES128:EDH+AESGCM+AES128:EECDH+AES128:EDH+AES128:ECDH+AESGCM+AES128:aRSA+AESGCM+AES128:ECDH+AES128:DH+AES128:aRSA+AES128:EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:ECDH+AESGCM:aRSA+AESGCM:ECDH:DH:aRSA:HIGH:!MEDIUM:!aNULL:!NULL:!LOW:!3DES:!DSS:!EXP:!PSK:!SRP',
46 'ssl_honor_cipher_order': 'on',
47 'ssl_protocol': 'ALL -SSLv2 -SSLv3',
48}
49
44required_pkgs = [50required_pkgs = [
45 'apache2',51 'apache2',
46 'xinetd',52 'xinetd',
@@ -333,6 +339,7 @@ def configure_apache():
333 sites_available = os.path.join(available_dir, role + ".conf")339 sites_available = os.path.join(available_dir, role + ".conf")
334 sites_enabled = os.path.join(enabled_dir, role + ".conf")340 sites_enabled = os.path.join(enabled_dir, role + ".conf")
335 tmpl_data = mirror341 tmpl_data = mirror
342 tmpl_data.update(apache_tls_settings)
336 tmpl_data["logdir"] = apache_logdir343 tmpl_data["logdir"] = apache_logdir
337 tmpl_data["addresses"] = role_config.get('addresses', ['*'])344 tmpl_data["addresses"] = role_config.get('addresses', ['*'])
338 all_addresses.update(tmpl_data["addresses"])345 all_addresses.update(tmpl_data["addresses"])
diff --git a/templates/apache-cdimage.tmpl b/templates/apache-cdimage.tmpl
index ea841dc..dd8b9a4 100644
--- a/templates/apache-cdimage.tmpl
+++ b/templates/apache-cdimage.tmpl
@@ -15,6 +15,9 @@ ${apache_early_extra}
15 SSLCertificateFile /etc/apache2/ssl/${name}.crt15 SSLCertificateFile /etc/apache2/ssl/${name}.crt
16 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key16 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
17 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt17 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
18 SSLCipherSuite ${ssl_cipher_suite}
19 SSLHonorCipherOrder ${ssl_honor_cipher_order}
20 SSLProtocol ${ssl_protocol}
1821
19#end if22#end if
20 DocumentRoot /srv/${name}/www23 DocumentRoot /srv/${name}/www
diff --git a/templates/apache-cloud-images.tmpl b/templates/apache-cloud-images.tmpl
index 04f11cc..541b1e4 100644
--- a/templates/apache-cloud-images.tmpl
+++ b/templates/apache-cloud-images.tmpl
@@ -16,6 +16,9 @@ ${apache_early_extra}
16 SSLCertificateFile /etc/apache2/ssl/${name}.crt16 SSLCertificateFile /etc/apache2/ssl/${name}.crt
17 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key17 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
18 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt18 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
19 SSLCipherSuite ${ssl_cipher_suite}
20 SSLHonorCipherOrder ${ssl_honor_cipher_order}
21 SSLProtocol ${ssl_protocol}
1922
20#end if23#end if
21 DocumentRoot /srv/${name}/www24 DocumentRoot /srv/${name}/www
diff --git a/templates/apache-ports.tmpl b/templates/apache-ports.tmpl
index f24823e..654e7da 100644
--- a/templates/apache-ports.tmpl
+++ b/templates/apache-ports.tmpl
@@ -15,6 +15,9 @@ ${apache_early_extra}
15 SSLCertificateFile /etc/apache2/ssl/${name}.crt15 SSLCertificateFile /etc/apache2/ssl/${name}.crt
16 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key16 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
17 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt17 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
18 SSLCipherSuite ${ssl_cipher_suite}
19 SSLHonorCipherOrder ${ssl_honor_cipher_order}
20 SSLProtocol ${ssl_protocol}
1821
19#end if22#end if
20 DocumentRoot /srv/${name}/www23 DocumentRoot /srv/${name}/www
diff --git a/templates/apache-releases.tmpl b/templates/apache-releases.tmpl
index aeae97c..b0c0a92 100644
--- a/templates/apache-releases.tmpl
+++ b/templates/apache-releases.tmpl
@@ -16,6 +16,9 @@ ${apache_early_extra}
16 SSLCertificateFile /etc/apache2/ssl/${name}.crt16 SSLCertificateFile /etc/apache2/ssl/${name}.crt
17 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key17 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
18 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt18 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
19 SSLCipherSuite ${ssl_cipher_suite}
20 SSLHonorCipherOrder ${ssl_honor_cipher_order}
21 SSLProtocol ${ssl_protocol}
1922
20#end if23#end if
21 DocumentRoot /srv/${name}/www24 DocumentRoot /srv/${name}/www
diff --git a/templates/apache-simple-streams.tmpl b/templates/apache-simple-streams.tmpl
index 8e4b613..88d98a7 100644
--- a/templates/apache-simple-streams.tmpl
+++ b/templates/apache-simple-streams.tmpl
@@ -16,6 +16,9 @@ ${apache_early_extra}
16 SSLCertificateFile /etc/apache2/ssl/${name}.crt16 SSLCertificateFile /etc/apache2/ssl/${name}.crt
17 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key17 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
18 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt18 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
19 SSLCipherSuite ${ssl_cipher_suite}
20 SSLHonorCipherOrder ${ssl_honor_cipher_order}
21 SSLProtocol ${ssl_protocol}
1922
20#end if23#end if
21 DocumentRoot /srv/${name}/www24 DocumentRoot /srv/${name}/www
diff --git a/templates/apache-ubuntu.tmpl b/templates/apache-ubuntu.tmpl
index 0887271..7dde1b8 100644
--- a/templates/apache-ubuntu.tmpl
+++ b/templates/apache-ubuntu.tmpl
@@ -15,6 +15,9 @@ ${apache_early_extra}
15 SSLCertificateFile /etc/apache2/ssl/${name}.crt15 SSLCertificateFile /etc/apache2/ssl/${name}.crt
16 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key16 SSLCertificateKeyFile /etc/apache2/ssl/${name}.key
17 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt17 SSLCertificateChainFile /etc/apache2/ssl/${name}_chain.crt
18 SSLCipherSuite ${ssl_cipher_suite}
19 SSLHonorCipherOrder ${ssl_honor_cipher_order}
20 SSLProtocol ${ssl_protocol}
1821
19#end if22#end if
20 DocumentRoot /srv/${name}/www23 DocumentRoot /srv/${name}/www

Subscribers

People subscribed via source and target branches