Faidon Liambotis has submitted this change and it was merged.
Change subject: ssl_ciphersuite: make cipherlist more readable
......................................................................
ssl_ciphersuite: make cipherlist more readable
The current version of one single string of ciphers is hard for humans
to parse and make changes to. Switch to using an array instead, which is
subsequently joined with ":" later.
Change-Id: I7b93cadcaf7fba93b6703a10198e88b0e0c95d3f
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 50 insertions(+), 3 deletions(-)
Approvals:
Faidon Liambotis: Verified; Looks good to me, approved
diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index fbd9346..34b4401 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -47,8 +47,55 @@
module Puppet::Parser::Functions
ciphersuites = {
- 'compat' =>
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!DH',
- 'strong' =>
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH'
+ 'compat' => [
+ 'ECDHE-RSA-AES128-GCM-SHA256',
+ 'ECDHE-ECDSA-AES128-GCM-SHA256',
+ 'ECDHE-RSA-AES256-GCM-SHA384',
+ 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ 'ECDHE-RSA-AES128-SHA256',
+ 'ECDHE-ECDSA-AES128-SHA256',
+ 'ECDHE-RSA-AES128-SHA',
+ 'ECDHE-ECDSA-AES128-SHA',
+ 'ECDHE-RSA-AES256-SHA384',
+ 'ECDHE-ECDSA-AES256-SHA384',
+ 'ECDHE-RSA-AES256-SHA',
+ 'ECDHE-ECDSA-AES256-SHA',
+ 'AES128-GCM-SHA256',
+ 'AES256-GCM-SHA384',
+ 'AES128',
+ 'AES256',
+ 'HIGH',
+ '!aNULL',
+ '!eNULL',
+ '!EXPORT',
+ '!DES',
+ '!MD5',
+ '!PSK',
+ '!DH',
+ ],
+ 'strong' => [
+ 'ECDHE-RSA-AES128-GCM-SHA256',
+ 'ECDHE-ECDSA-AES128-GCM-SHA256',
+ 'ECDHE-RSA-AES256-GCM-SHA384',
+ 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ 'ECDHE-RSA-AES128-SHA256',
+ 'ECDHE-ECDSA-AES128-SHA256',
+ 'ECDHE-RSA-AES128-SHA',
+ 'ECDHE-ECDSA-AES128-SHA',
+ 'ECDHE-RSA-AES256-SHA384',
+ 'ECDHE-ECDSA-AES256-SHA384',
+ 'ECDHE-RSA-AES256-SHA',
+ 'ECDHE-ECDSA-AES256-SHA',
+ 'HIGH',
+ '!aNULL',
+ '!eNULL',
+ '!EXPORT',
+ '!DES',
+ '!3DES',
+ '!MD5',
+ '!PSK',
+ '!DH',
+ ],
}
newfunction(
:ssl_ciphersuite,
@@ -93,7 +140,7 @@
fail(ArgumentError, "ssl_ciphersuite(): unknown ciphersuite
'#{ciphersuite}'")
end
- cipherlist = ciphersuites[ciphersuite]
+ cipherlist = ciphersuites[ciphersuite].join(":")
if ciphersuite == 'strong' && server == 'apache' && server_version < 24
fail(ArgumentError, 'ssl_ciphersuite(): apache 2.2 cannot work in strong
PFS mode')
--
To view, visit https://gerrit.wikimedia.org/r/221073
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I7b93cadcaf7fba93b6703a10198e88b0e0c95d3f
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
