Juju Charms Collection
haproxy package

Merge lp:~free.ekanayaka/charms/trusty/haproxy/ciphers-support into lp:charms/trusty/haproxy

  1. Trusty Tahr (14.04)
  2. ciphers-support
  3. Merge into trunk
Proposed by Free Ekanayaka
Status: Merged
Merged at revision: 96
Proposed branch: lp:~free.ekanayaka/charms/trusty/haproxy/ciphers-support
Merge into: lp:charms/trusty/haproxy
Diff against target: 90 lines (+21/-1)
4 files modified
config.yaml (+12/-0)
hooks/hooks.py (+2/-0)
hooks/tests/test_helpers.py (+4/-0)
hooks/tests/test_reverseproxy_hooks.py (+3/-1)
To merge this branch: bzr merge lp:~free.ekanayaka/charms/trusty/haproxy/ciphers-support
Reviewer Review Type Date Requested Status
Chris Glass (community) Approve
Review via email: mp+268226@code.launchpad.net

Description of the change

This branch adds a config option to tweak the value of the ciphers used by TLS. The default ones used by HAProxy are a bit too broad for most people needs, so the charm default follows the recommendation from:

https://weakdh.org/sysadmin.html#haproxy

To post a comment you must log in.
Revision history for this message
Chris Glass (tribaal) wrote :

Looks good! Glad to see RC4 go the way of the dodo.

+1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'config.yaml'
2--- config.yaml 2015-06-10 14:38:26 +0000
3+++ config.yaml 2015-08-17 13:25:06 +0000
4@@ -48,6 +48,18 @@
5 Default value if 1024, higher values will increase the CPU load, and values
6 greater than 1024 bits are not supported by Java 7 and earlier clients. This
7 config key will be ignored if the installed haproxy package has no SSL support.
8+ global_default_bind_ciphers:
9+ default: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
10+ type: string
11+ description: |
12+ Sets the default string describing the list of cipher algorithms
13+ ("cipher suite") that are negotiated during the SSL/TLS handshake for
14+ all "bind" lines which do not explicitly define theirs. The format of
15+ the string is defined in "man 1 ciphers" from OpenSSL man pages, and
16+ can be for instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH"
17+ (without quotes). Please check the "bind" keyword for more information.
18+ This config key will be ignored if the installed haproxy package has no SSL
19+ support.
20 default_log:
21 default: "global"
22 type: string
23
24=== modified file 'hooks/hooks.py'
25--- hooks/hooks.py 2015-06-10 14:44:49 +0000
26+++ hooks/hooks.py 2015-08-17 13:25:06 +0000
27@@ -161,6 +161,8 @@
28 if has_ssl_support():
29 haproxy_globals.append(" tune.ssl.default-dh-param %d" %
30 config_data['global_default_dh_param'])
31+ haproxy_globals.append(" ssl-default-bind-ciphers %s" %
32+ config_data['global_default_bind_ciphers'])
33 if config_data['global_stats_socket'] is True:
34 sock_path = "/var/run/haproxy/haproxy.sock"
35 haproxy_globals.append(" stats socket %s mode 0600" % sock_path)
36
37=== modified file 'hooks/tests/test_helpers.py'
38--- hooks/tests/test_helpers.py 2015-06-10 14:38:26 +0000
39+++ hooks/tests/test_helpers.py 2015-08-17 13:25:06 +0000
40@@ -23,6 +23,7 @@
41 'global_group': 'foo-group',
42 'global_spread_checks': 234,
43 'global_default_dh_param': 345,
44+ 'global_default_bind_ciphers': "my:ciphers",
45 'global_debug': False,
46 'global_quiet': False,
47 'global_stats_socket': True,
48@@ -40,6 +41,7 @@
49 ' group foo-group',
50 ' spread-checks 234',
51 ' tune.ssl.default-dh-param 345',
52+ ' ssl-default-bind-ciphers my:ciphers',
53 ' stats socket %s mode 0600' % sock_path,
54 ])
55 self.assertEqual(result, expected)
56@@ -55,6 +57,7 @@
57 'global_group': 'foo-group',
58 'global_spread_checks': 234,
59 'global_default_dh_param': 345,
60+ 'global_default_bind_ciphers': "my:ciphers",
61 'global_debug': True,
62 'global_quiet': True,
63 'global_stats_socket': False,
64@@ -73,6 +76,7 @@
65 ' quiet',
66 ' spread-checks 234',
67 ' tune.ssl.default-dh-param 345',
68+ ' ssl-default-bind-ciphers my:ciphers',
69 ])
70 self.assertEqual(result, expected)
71
72
73=== modified file 'hooks/tests/test_reverseproxy_hooks.py'
74--- hooks/tests/test_reverseproxy_hooks.py 2015-06-10 14:38:26 +0000
75+++ hooks/tests/test_reverseproxy_hooks.py 2015-08-17 13:25:06 +0000
76@@ -1,3 +1,4 @@
77+import os
78 import base64
79 import yaml
80
81@@ -472,7 +473,8 @@
82 "service_name": "service",
83 },
84 }
85- self.unit_get.return_value = "1.2.4.5"
86+ unit_get = self.patch_hook("unit_get")
87+ unit_get.return_value = "1.2.4.5"
88 self.relations_of_type.return_value = [
89 {"port": 4242,
90 "private-address": "1.2.4.4",

Subscribers

People subscribed via source and target branches

to all changes: