Switch back to TLSv1.2 on the backend

python · Jan 14, 2015 · 42028d7 · 42028d7
1 parent a59052e
commit 42028d7
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 5 deletions.
diff --git a/salt/haproxy/config/haproxy.cfg.jinja b/salt/haproxy/config/haproxy.cfg.jinja
@@ -213,7 +213,7 @@ backend {{ service }}
     {% endfor -%}
 
     {{ "{{" }}range service "{{ service }}@{{ pillar.dc }}"}}
-    {% raw %}server {{.Name}} {{.Address}}:{{.Port}}{% endraw %}{% if config.get("check", True) %} check{% endif %} ssl verifyhost {{ config.get("verify_host", service + ".psf.io") }} ca-file {{ config.get("ca-file", "PSF_CA.pem") }}{{ "{{end}}" }}
+    {% raw %}server {{.Name}} {{.Address}}:{{.Port}}{% endraw %}{% if config.get("check", True) %} check{% endif %} ssl force-tlsv12 verifyhost {{ config.get("verify_host", service + ".psf.io") }} ca-file {{ config.get("ca-file", "PSF_CA.pem") }}{{ "{{end}}" }}
 
 {% endfor %}
 

diff --git a/salt/hg/config/hg.apache.conf.jinja b/salt/hg/config/hg.apache.conf.jinja
@@ -6,7 +6,7 @@
     SSLCertificateKeyFile /etc/ssl/private/hg.psf.io.pem
     SSLCipherSuite {{ pillar["tls"]["ciphers"].get("backend", pillar["tls"]["ciphers"]["default"]) }}
     SSLHonorCipherOrder on
-    # SSLProtocol TLSv1.2
+    SSLProtocol TLSv1.2
 
     TransferLog /var/log/apache2/hg.access.log
     ErrorLog /var/log/apache2/hg.error.log

diff --git a/salt/nginx/config/fastly_params.jinja b/salt/nginx/config/fastly_params.jinja
@@ -1,9 +1,7 @@
 port_in_redirect off;
 
 ssl_ciphers {{ pillar["tls"]["ciphers"].get("backend", pillar["tls"]["ciphers"]["default"]) }};
-# Once the LBs upgrade to Trusty try turning this back on.
-# Also set force-tlsv12 back on the HAProxy backends.
-# ssl_protocols TLSv1.2;
+ssl_protocols TLSv1.2;
 
 set_real_ip_from  {{ pillar["psf_internal_network"] }};
 set_real_ip_from  {{ pillar["pypi_internal_network"] }};