[MediaWiki-commits] [Gerrit] wikitech - use ssl_ciphersuite - change (operations/puppet)

Andrew Bogott (Code Review) Fri, 15 Aug 2014 12:00:20 -0700

Andrew Bogott has submitted this change and it was merged.

Change subject: wikitech - use ssl_ciphersuite
......................................................................



wikitech - use ssl_ciphersuite

Change-Id: I9334b8c53b1e855f0bc241dca89a85e1f44aa4a5
---
M manifests/role/nova.pp
M templates/apache/sites/wikitech.wikimedia.org.erb
2 files changed, 3 insertions(+), 3 deletions(-)

Approvals:
  Andrew Bogott: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/manifests/role/nova.pp b/manifests/role/nova.pp
index 3f55ec1..d486361 100644
--- a/manifests/role/nova.pp
+++ b/manifests/role/nova.pp
@@ -306,6 +306,8 @@
         ca => $ca
     }
 
+    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+
     class { 'openstack::openstack-manager':
         openstack_version => $openstack_version,
         novaconfig        => $novaconfig,
diff --git a/templates/apache/sites/wikitech.wikimedia.org.erb 
b/templates/apache/sites/wikitech.wikimedia.org.erb
index 508b77c..a49ad9d 100644
--- a/templates/apache/sites/wikitech.wikimedia.org.erb
+++ b/templates/apache/sites/wikitech.wikimedia.org.erb
@@ -40,12 +40,10 @@
     ServerName <%= @webserver_hostname %>
 
     SSLEngine on
-    SSLProtocol +ALL -SSLv2
-    SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
-    SSLHonorCipherOrder on
     SSLCertificateFile /etc/ssl/certs/<%= @certificate %>.pem
     SSLCertificateKeyFile /etc/ssl/private/<%= @certificate %>.key
     SSLCACertificatePath /etc/ssl/certs/
+    <%= @ssl_settings.join("\n") %>
 
     Header set Strict-Transport-Security "max-age=31536000"
 

-- 
To view, visit https://gerrit.wikimedia.org/r/153975
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I9334b8c53b1e855f0bc241dca89a85e1f44aa4a5
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: JanZerebecki <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] wikitech - use ssl_ciphersuite - change (operations/puppet)

Reply via email to