From b99a18cf04a3ee1d828f8930314f392e03ebb55f Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sat, 13 Apr 2019 17:07:05 +0200 Subject: [PATCH] Re-enable TLSv1.2 and TLSv1.3 Signed-off-by: Patrick Uiterwijk --- vars/global.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/vars/global.yml b/vars/global.yml index 12341819c9..9be670a52e 100644 --- a/vars/global.yml +++ b/vars/global.yml @@ -55,8 +55,7 @@ rhel66_x86_64: rhel-guest-image-6.6-20141222.0.x86_64 # Note: we do "all and blacklist" rather than whitelist to make sure we can use this # same list on both EL7 and Fedora and get new ciphers: on Fedora, at time of writing, # this includes TLSv1.3, which EL7 does not have. -#ssl_protocols: "+all -SSLv3 -TLSv1 -TLSv1.1" -ssl_protocols: "-all +TLSv1 +TLSv1.1 +TLSv1.2" +ssl_protocols: "+all -SSLv3 -TLSv1 -TLSv1.1" ssl_ciphers: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK" # Set a default hostname base to transient. Override in host vars or command line.