On 28/03/16 21:33, Bryan Quigley wrote: > Right now if you deploy juju-gui or openstack-dashboard (and likely > many more) they will follow the 14.04 default and have SSLv3 and RC4 > enabled. In both cases this can make the communication insecure. > > 1) Should we default SSLv3/RC4 to disabled in charms that we know we can? > > For example, last I checked the OpenStack dashboard does not support > IE6, so we don't need SSLv3 support.
Yes, I'd say at the level f a specific set of charms (like the OpenStack ones) this is a straightforward +1 since we can anticipate the client capabilities (browsers and REST API client libraries). > 2) Should every charm that includes a web server let you override > SSLOptions with a specific option? This is likely to happen again, > and maybe next time we won't be able to just disable them. Seems like a useful convention, but not a requirement given that the underlying software will use different terms to express supported options. Perhaps in future it would be useful to have a convention for this that we encourage charmers to follow, with layers for the common stacks. Mark -- Juju mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
