From 90247cf8cd0eac760d5b8eb986ceacf0db3fcc7f Mon Sep 17 00:00:00 2001 From: Lukas Bezdicka Date: Fri, 2 Jan 2015 20:04:10 +0100 Subject: [PATCH] Switch to TLSv1 as SSLv3 is considered insecure and is disabled by default Rabbitmq won't talk to us anymore if we try to use SSLv3 as it disabled support for SSLv3. Openstack components use python's openssl implementation which does not support TLSv1.1 and TLSv1.2 yet so we just switch to TLSv1. Support for newer TLS should come with python 2.7.9+ Closes-Bug: #1409667 Change-Id: I00cfa06030b84ae23cb8548b74cf5684562377aa --- manifests/init.pp | 4 ++-- spec/classes/ceilometer_init_spec.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 66aada3..823fc5b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -53,7 +53,7 @@ # (optional) SSL version to use (valid only if SSL enabled). # Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be # available on some distributions. -# Defaults to 'SSLv3' +# Defaults to 'TLSv1' # # [*qpid_hostname*] # [*qpid_port*] @@ -91,7 +91,7 @@ class ceilometer( $kombu_ssl_ca_certs = undef, $kombu_ssl_certfile = undef, $kombu_ssl_keyfile = undef, - $kombu_ssl_version = 'SSLv3', + $kombu_ssl_version = 'TLSv1', $qpid_hostname = 'localhost', $qpid_port = 5672, $qpid_username = 'guest', diff --git a/spec/classes/ceilometer_init_spec.rb b/spec/classes/ceilometer_init_spec.rb index a4b6918..1da2e32 100644 --- a/spec/classes/ceilometer_init_spec.rb +++ b/spec/classes/ceilometer_init_spec.rb @@ -252,7 +252,7 @@ describe 'ceilometer' do it { should contain_ceilometer_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent') } it { should contain_ceilometer_config('DEFAULT/kombu_ssl_certfile').with_ensure('absent') } it { should contain_ceilometer_config('DEFAULT/kombu_ssl_keyfile').with_ensure('absent') } - it { should contain_ceilometer_config('DEFAULT/kombu_ssl_version').with_value('SSLv3') } + it { should contain_ceilometer_config('DEFAULT/kombu_ssl_version').with_value('TLSv1') } end context "with SSL wrongly configured" do -- 2.45.2