[MediaWiki-commits] [Gerrit] gerrit - use global ssl_ciphersuite settings - change (operations/puppet)

Dzahn (Code Review) Thu, 21 Aug 2014 15:35:12 -0700

Dzahn has submitted this change and it was merged.

Change subject: gerrit - use global ssl_ciphersuite settings
......................................................................



gerrit - use global ssl_ciphersuite settings

use ssl_ciphersuite to include SSL Cipher settings
from a centralized place instead of setting
them in each module separately

Change-Id: I9382cfc3aa8d1fe7fe1f3c35f2472f39be4de211
---
M manifests/gerrit.pp
M templates/apache/sites/gerrit.wikimedia.org.erb
2 files changed, 2 insertions(+), 3 deletions(-)

Approvals:
  jenkins-bot: Verified
  Dzahn: Looks good to me, approved



diff --git a/manifests/gerrit.pp b/manifests/gerrit.pp
index d1e4a94..d4cc0f1 100644
--- a/manifests/gerrit.pp
+++ b/manifests/gerrit.pp
@@ -27,6 +27,7 @@
     $dbuser = $db_user
     $dbpass = $passwords::gerrit::gerrit_db_pass
     $bzpass = $passwords::gerrit::gerrit_bz_pass
+    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
 
     # Setup LDAP
     include ldap::role::config::labs
diff --git a/templates/apache/sites/gerrit.wikimedia.org.erb 
b/templates/apache/sites/gerrit.wikimedia.org.erb
index aeaa181..c4a89b3 100644
--- a/templates/apache/sites/gerrit.wikimedia.org.erb
+++ b/templates/apache/sites/gerrit.wikimedia.org.erb
@@ -47,12 +47,10 @@
     ServerName <%= @host %>
 
     SSLEngine on
-    SSLProtocol +ALL -SSLv2
-    SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
-    SSLHonorCipherOrder on
     SSLCertificateFile /etc/ssl/certs/<%= @ssl_cert %>.pem
     SSLCertificateKeyFile /etc/ssl/private/<%= @ssl_cert_key %>.key
     SSLCACertificatePath /etc/ssl/certs/
+    <%= @ssl_settings.join("\n") %>
 
     RedirectMatch ^/$ https://<%= @host %>/r/
     RedirectMatch ^/gitweb/(.*)$ https://<%= @host %>/r/gitweb?p=$1

-- 
To view, visit https://gerrit.wikimedia.org/r/153967
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I9382cfc3aa8d1fe7fe1f3c35f2472f39be4de211
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: Chmarkine <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: JanZerebecki <[email protected]>
Gerrit-Reviewer: Matanya <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] gerrit - use global ssl_ciphersuite settings - change (operations/puppet)

Reply via email to