[MediaWiki-commits] [Gerrit] puppetmaster - use ssl_ciphersuite - change (operations/puppet)

Dzahn (Code Review) Wed, 13 Aug 2014 16:47:00 -0700

Dzahn has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/153986


Change subject: puppetmaster - use ssl_ciphersuite
......................................................................

puppetmaster - use ssl_ciphersuite

Change-Id: I4d9315260058b1702c31e3deb12bd0616ee02d50
---
M manifests/role/puppetmaster.pp
M modules/puppetmaster/templates/puppetmaster.erb
2 files changed, 3 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/86/153986/1

diff --git a/manifests/role/puppetmaster.pp b/manifests/role/puppetmaster.pp
index 17ef38f..93aa7d7 100644
--- a/manifests/role/puppetmaster.pp
+++ b/manifests/role/puppetmaster.pp
@@ -8,6 +8,8 @@
             '*.ulsfo.wmnet',
             '*.esams.wmnet',
         ]
+
+    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
 }
 
 class role::puppetmaster::frontend {
diff --git a/modules/puppetmaster/templates/puppetmaster.erb 
b/modules/puppetmaster/templates/puppetmaster.erb
index 6518cab..e8cbc5a 100644
--- a/modules/puppetmaster/templates/puppetmaster.erb
+++ b/modules/puppetmaster/templates/puppetmaster.erb
@@ -13,8 +13,6 @@
 <%- if @server_type == 'frontend' or @server_type == 'standalone' -%>
 <VirtualHost <%= scope.lookupvar('puppetmaster::passenger::bind_address') 
%>:8140>
        SSLEngine on
-       SSLProtocol -ALL +SSLv3 +TLSv1
-       SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
 
        SSLCertificateFile      /var/lib/puppet/server/ssl/certs/<%= 
scope.lookupvar('puppetmaster::server_name') %>.pem
        SSLCertificateKeyFile   /var/lib/puppet/server/ssl/private_keys/<%= 
scope.lookupvar('puppetmaster::server_name') %>.pem
@@ -26,6 +24,7 @@
        SSLVerifyClient <%= 
scope.lookupvar('puppetmaster::passenger::verify_client') %>
        SSLVerifyDepth  1
        SSLOptions +StdEnvVars
+       <%= @ssl_settings.join("\n") %>
 
        <%- if @server_type == 'frontend' -%>
        # These request headers are used to pass the client certificate

-- 
To view, visit https://gerrit.wikimedia.org/r/153986
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4d9315260058b1702c31e3deb12bd0616ee02d50
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] puppetmaster - use ssl_ciphersuite - change (operations/puppet)

Reply via email to