From dc01a8ab63aff1be170fb59c293ed4bddd03749a Mon Sep 17 00:00:00 2001
From: Dirk Mueller
Date: Sun, 14 Jul 2019 22:33:13 +0200
Subject: [PATCH] Switch TLS tests to TLSv1.2+ only
This would more likely match a relevant production deployment.
Change-Id: I4ee2ff0c00a8e33fd069a782b32eed5fef62c01b
---
files/apache-keystone.template | 1 +
files/apache-neutron.template | 1 +
lib/tls | 1 +
3 files changed, 3 insertions(+)
diff --git a/files/apache-keystone.template b/files/apache-keystone.template
index 128436027d..480fe06a9c 100644
--- a/files/apache-keystone.template
+++ b/files/apache-keystone.template
@@ -38,6 +38,7 @@ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)"
%SSLLISTEN% %SSLENGINE%
%SSLLISTEN% %SSLCERTFILE%
%SSLLISTEN% %SSLKEYFILE%
+%SSLLISTEN% SSLProtocol -all +TLSv1.3 +TLSv1.2
%SSLLISTEN%
Alias /identity %KEYSTONE_BIN%/keystone-wsgi-public
diff --git a/files/apache-neutron.template b/files/apache-neutron.template
index c7796b93bf..358e87f5da 100644
--- a/files/apache-neutron.template
+++ b/files/apache-neutron.template
@@ -24,6 +24,7 @@ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)"
%SSLLISTEN% %SSLENGINE%
%SSLLISTEN% %SSLCERTFILE%
%SSLLISTEN% %SSLKEYFILE%
+%SSLLISTEN% SSLProtocol -all +TLSv1.3 +TLSv1.2
%SSLLISTEN%
Alias /networking %NEUTRON_BIN%/neutron-api
diff --git a/lib/tls b/lib/tls
index 0032449e13..6f2a65a75b 100644
--- a/lib/tls
+++ b/lib/tls
@@ -536,6 +536,7 @@ $listen_string
SSLEngine On
SSLCertificateFile $DEVSTACK_CERT
+ SSLProtocol -all +TLSv1.3 +TLSv1.2
# Disable KeepAlive to fix bug #1630664 a.k.a the
# ('Connection aborted.', BadStatusLine("''",)) error