Dzahn has submitted this change and it was merged.
Change subject: ishmael - use ssl_ciphersuite
......................................................................
ishmael - use ssl_ciphersuite
In the past, when we changed SSL cipher settings
we had to create many changes, usually one per service.
Then Giuseppe introduced ssl_ciphersuite in I9bc1104b7f770d9
which moves the settings into a centralized function.
This change makes it actually use the new function.
One last time we are going through all of the services,
but in the future we will be able make a single change
to update ciphers across misc. services.
Change-Id: I183cc083f611d4e5d1ab6308431cf422a0b16a7a
---
M manifests/role/ishmael.pp
M modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
2 files changed, 2 insertions(+), 3 deletions(-)
Approvals:
Chmarkine: Looks good to me, but someone else must approve
jenkins-bot: Verified
Dzahn: Looks good to me, approved
diff --git a/manifests/role/ishmael.pp b/manifests/role/ishmael.pp
index 56192ea..eefa347 100644
--- a/manifests/role/ishmael.pp
+++ b/manifests/role/ishmael.pp
@@ -5,6 +5,7 @@
system::role { 'role::ishmael': description => 'ishmael server' }
install_certificate{ 'ishmael.wikimedia.org': ca => 'RapidSSL_CA.pem' }
+ $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
class { '::ishmael':
site_name => 'ishmael.wikimedia.org',
diff --git a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
index 12badab..980b13b 100644
--- a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
+++ b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
@@ -7,12 +7,10 @@
<VirtualHost *:443>
ServerName <%= @site_name %>
SSLEngine On
- SSLProtocol +ALL -SSLv2
- SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
- SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/private/ishmael.wikimedia.org.pem
SSLCertificateKeyFile /etc/ssl/private/ishmael.wikimedia.org.key
SSLCACertificateFile /etc/ssl/certs/RapidSSL_CA.pem
+ <%= @ssl_settings.join("\n") %>
DocumentRoot <%= @docroot %>
<Directory "<%= @docroot %>">
--
To view, visit https://gerrit.wikimedia.org/r/153982
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I183cc083f611d4e5d1ab6308431cf422a0b16a7a
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>
Gerrit-Reviewer: Chmarkine <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: JanZerebecki <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: Springle <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
