Juju Charms Collection
haproxy package

Merge lp:~free.ekanayaka/charms/trusty/haproxy/no-sslv3 into lp:charms/trusty/haproxy

  1. Trusty Tahr (14.04)
  2. no-sslv3
  3. Merge into trunk
Proposed by Free Ekanayaka
Status: Merged
Merged at revision: 97
Proposed branch: lp:~free.ekanayaka/charms/trusty/haproxy/no-sslv3
Merge into: lp:charms/trusty/haproxy
Diff against target: 38 lines (+5/-3)
2 files modified
hooks/hooks.py (+2/-1)
hooks/tests/test_helpers.py (+3/-2)
To merge this branch: bzr merge lp:~free.ekanayaka/charms/trusty/haproxy/no-sslv3
Reviewer Review Type Date Requested Status
Chris Glass (community) Approve
Review via email: mp+268314@code.launchpad.net

Description of the change

This branch disables SSLv3 by default, since it's vulnerable to POODLE attacks.

To post a comment you must log in.
Revision history for this message
Chris Glass (tribaal) wrote :

Looks good. +1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'hooks/hooks.py'
2--- hooks/hooks.py 2015-08-17 12:58:35 +0000
3+++ hooks/hooks.py 2015-08-18 10:59:51 +0000
4@@ -368,7 +368,8 @@
5 else:
6 path = os.path.join(default_haproxy_lib_dir,
7 "service_%s" % service_name, "%d.pem" % i)
8- bind_stanza += " crt %s" % path
9+ # SSLv3 is always off, since it's vulnerable to POODLE attacks
10+ bind_stanza += " crt %s no-sslv3" % path
11 service_config.append(bind_stanza)
12 service_config.append(" default_backend %s" % (service_name,))
13 service_config.extend(" %s" % service_option.strip()
14
15=== modified file 'hooks/tests/test_helpers.py'
16--- hooks/tests/test_helpers.py 2015-08-17 12:58:35 +0000
17+++ hooks/tests/test_helpers.py 2015-08-18 10:59:51 +0000
18@@ -238,7 +238,7 @@
19 def test_get_listen_stanzas_with_ssl_frontend(self, load_haproxy_config):
20 load_haproxy_config.return_value = '''
21 frontend foo-2-123
22- bind 1.2.3.4:123 ssl crt /foo/bar
23+ bind 1.2.3.4:123 ssl crt /foo/bar no-sslv3
24 default_backend foo.internal
25 frontend foo-2-234
26 bind 1.2.3.5:234
27@@ -471,9 +471,10 @@
28 server_entries=server_entries,
29 service_crts=crts)
30
31+ crt_path = '/var/lib/haproxy/service_foo/0.pem'
32 expected = '\n'.join((
33 'frontend haproxy-2-443',
34- ' bind 1.2.3.4:443 ssl crt /var/lib/haproxy/service_foo/0.pem',
35+ ' bind 1.2.3.4:443 ssl crt %s no-sslv3' % crt_path,
36 ' default_backend foo',
37 '',
38 'backend foo',

Subscribers

People subscribed via source and target branches

to all changes: