Juju Charms Collection
haproxy package

Merge lp:~free.ekanayaka/charms/trusty/haproxy/ciphers-support into lp:charms/trusty/haproxy

  1. Trusty Tahr (14.04)
  2. ciphers-support
  3. Merge into trunk
Proposed by Free Ekanayaka
Status: Merged
Merged at revision: 96
Proposed branch: lp:~free.ekanayaka/charms/trusty/haproxy/ciphers-support
Merge into: lp:charms/trusty/haproxy
Diff against target: 90 lines (+21/-1)
4 files modified
config.yaml (+12/-0)
hooks/hooks.py (+2/-0)
hooks/tests/test_helpers.py (+4/-0)
hooks/tests/test_reverseproxy_hooks.py (+3/-1)
To merge this branch: bzr merge lp:~free.ekanayaka/charms/trusty/haproxy/ciphers-support
Reviewer Review Type Date Requested Status
Chris Glass (community) Approve
Review via email: mp+268226@code.launchpad.net

Description of the change

This branch adds a config option to tweak the value of the ciphers used by TLS. The default ones used by HAProxy are a bit too broad for most people needs, so the charm default follows the recommendation from:

https://weakdh.org/sysadmin.html#haproxy

To post a comment you must log in.
Revision history for this message
Chris Glass (tribaal) wrote :

Looks good! Glad to see RC4 go the way of the dodo.

+1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'config.yaml'
--- config.yaml 2015-06-10 14:38:26 +0000
+++ config.yaml 2015-08-17 13:25:06 +0000
@@ -48,6 +48,18 @@
48 Default value if 1024, higher values will increase the CPU load, and values48 Default value if 1024, higher values will increase the CPU load, and values
49 greater than 1024 bits are not supported by Java 7 and earlier clients. This49 greater than 1024 bits are not supported by Java 7 and earlier clients. This
50 config key will be ignored if the installed haproxy package has no SSL support.50 config key will be ignored if the installed haproxy package has no SSL support.
51 global_default_bind_ciphers:
52 default: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
53 type: string
54 description: |
55 Sets the default string describing the list of cipher algorithms
56 ("cipher suite") that are negotiated during the SSL/TLS handshake for
57 all "bind" lines which do not explicitly define theirs. The format of
58 the string is defined in "man 1 ciphers" from OpenSSL man pages, and
59 can be for instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH"
60 (without quotes). Please check the "bind" keyword for more information.
61 This config key will be ignored if the installed haproxy package has no SSL
62 support.
51 default_log:63 default_log:
52 default: "global"64 default: "global"
53 type: string65 type: string
5466
=== modified file 'hooks/hooks.py'
--- hooks/hooks.py 2015-06-10 14:44:49 +0000
+++ hooks/hooks.py 2015-08-17 13:25:06 +0000
@@ -161,6 +161,8 @@
161 if has_ssl_support():161 if has_ssl_support():
162 haproxy_globals.append(" tune.ssl.default-dh-param %d" %162 haproxy_globals.append(" tune.ssl.default-dh-param %d" %
163 config_data['global_default_dh_param'])163 config_data['global_default_dh_param'])
164 haproxy_globals.append(" ssl-default-bind-ciphers %s" %
165 config_data['global_default_bind_ciphers'])
164 if config_data['global_stats_socket'] is True:166 if config_data['global_stats_socket'] is True:
165 sock_path = "/var/run/haproxy/haproxy.sock"167 sock_path = "/var/run/haproxy/haproxy.sock"
166 haproxy_globals.append(" stats socket %s mode 0600" % sock_path)168 haproxy_globals.append(" stats socket %s mode 0600" % sock_path)
167169
=== modified file 'hooks/tests/test_helpers.py'
--- hooks/tests/test_helpers.py 2015-06-10 14:38:26 +0000
+++ hooks/tests/test_helpers.py 2015-08-17 13:25:06 +0000
@@ -23,6 +23,7 @@
23 'global_group': 'foo-group',23 'global_group': 'foo-group',
24 'global_spread_checks': 234,24 'global_spread_checks': 234,
25 'global_default_dh_param': 345,25 'global_default_dh_param': 345,
26 'global_default_bind_ciphers': "my:ciphers",
26 'global_debug': False,27 'global_debug': False,
27 'global_quiet': False,28 'global_quiet': False,
28 'global_stats_socket': True,29 'global_stats_socket': True,
@@ -40,6 +41,7 @@
40 ' group foo-group',41 ' group foo-group',
41 ' spread-checks 234',42 ' spread-checks 234',
42 ' tune.ssl.default-dh-param 345',43 ' tune.ssl.default-dh-param 345',
44 ' ssl-default-bind-ciphers my:ciphers',
43 ' stats socket %s mode 0600' % sock_path,45 ' stats socket %s mode 0600' % sock_path,
44 ])46 ])
45 self.assertEqual(result, expected)47 self.assertEqual(result, expected)
@@ -55,6 +57,7 @@
55 'global_group': 'foo-group',57 'global_group': 'foo-group',
56 'global_spread_checks': 234,58 'global_spread_checks': 234,
57 'global_default_dh_param': 345,59 'global_default_dh_param': 345,
60 'global_default_bind_ciphers': "my:ciphers",
58 'global_debug': True,61 'global_debug': True,
59 'global_quiet': True,62 'global_quiet': True,
60 'global_stats_socket': False,63 'global_stats_socket': False,
@@ -73,6 +76,7 @@
73 ' quiet',76 ' quiet',
74 ' spread-checks 234',77 ' spread-checks 234',
75 ' tune.ssl.default-dh-param 345',78 ' tune.ssl.default-dh-param 345',
79 ' ssl-default-bind-ciphers my:ciphers',
76 ])80 ])
77 self.assertEqual(result, expected)81 self.assertEqual(result, expected)
7882
7983
=== modified file 'hooks/tests/test_reverseproxy_hooks.py'
--- hooks/tests/test_reverseproxy_hooks.py 2015-06-10 14:38:26 +0000
+++ hooks/tests/test_reverseproxy_hooks.py 2015-08-17 13:25:06 +0000
@@ -1,3 +1,4 @@
1import os
1import base642import base64
2import yaml3import yaml
34
@@ -472,7 +473,8 @@
472 "service_name": "service",473 "service_name": "service",
473 },474 },
474 }475 }
475 self.unit_get.return_value = "1.2.4.5"476 unit_get = self.patch_hook("unit_get")
477 unit_get.return_value = "1.2.4.5"
476 self.relations_of_type.return_value = [478 self.relations_of_type.return_value = [
477 {"port": 4242,479 {"port": 4242,
478 "private-address": "1.2.4.4",480 "private-address": "1.2.4.4",

Subscribers

People subscribed via source and target branches

to all changes: