Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Re-enable TLSv1.2 and TLSv1.3

Browse source 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This commit is contained in:
Patrick Uiterwijk 2019-04-13 17:07:05 +02:00
parent 47781778ff
commit b99a18cf04
1 changed files with 1 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
vars/global.yml
View file

@ -55,8 +55,7 @@ rhel66_x86_64: rhel-guest-image-6.6-20141222.0.x86_64
# Note: we do "all and blacklist" rather than whitelist to make sure we can use this # Note: we do "all and blacklist" rather than whitelist to make sure we can use this
# same list on both EL7 and Fedora and get new ciphers: on Fedora, at time of writing, # same list on both EL7 and Fedora and get new ciphers: on Fedora, at time of writing,
# this includes TLSv1.3, which EL7 does not have. # this includes TLSv1.3, which EL7 does not have.
#ssl_protocols: "+all -SSLv3 -TLSv1 -TLSv1.1" ssl_protocols: "+all -SSLv3 -TLSv1 -TLSv1.1"
ssl_protocols: "-all +TLSv1 +TLSv1.1 +TLSv1.2"
ssl_ciphers: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK" ssl_ciphers: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
# Set a default hostname base to transient. Override in host vars or command line. # Set a default hostname base to transient. Override in host vars or command line.