Juju Charms Collection
haproxy package

Merge lp:~free.ekanayaka/charms/trusty/haproxy/no-sslv3 into lp:charms/trusty/haproxy

  1. Trusty Tahr (14.04)
  2. no-sslv3
  3. Merge into trunk
Proposed by Free Ekanayaka
Status: Merged
Merged at revision: 97
Proposed branch: lp:~free.ekanayaka/charms/trusty/haproxy/no-sslv3
Merge into: lp:charms/trusty/haproxy
Diff against target: 38 lines (+5/-3)
2 files modified
hooks/hooks.py (+2/-1)
hooks/tests/test_helpers.py (+3/-2)
To merge this branch: bzr merge lp:~free.ekanayaka/charms/trusty/haproxy/no-sslv3
Reviewer Review Type Date Requested Status
Chris Glass (community) Approve
Review via email: mp+268314@code.launchpad.net

Description of the change

This branch disables SSLv3 by default, since it's vulnerable to POODLE attacks.

To post a comment you must log in.
Revision history for this message
Chris Glass (tribaal) wrote :

Looks good. +1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'hooks/hooks.py'
--- hooks/hooks.py 2015-08-17 12:58:35 +0000
+++ hooks/hooks.py 2015-08-18 10:59:51 +0000
@@ -368,7 +368,8 @@
368 else:368 else:
369 path = os.path.join(default_haproxy_lib_dir,369 path = os.path.join(default_haproxy_lib_dir,
370 "service_%s" % service_name, "%d.pem" % i)370 "service_%s" % service_name, "%d.pem" % i)
371 bind_stanza += " crt %s" % path371 # SSLv3 is always off, since it's vulnerable to POODLE attacks
372 bind_stanza += " crt %s no-sslv3" % path
372 service_config.append(bind_stanza)373 service_config.append(bind_stanza)
373 service_config.append(" default_backend %s" % (service_name,))374 service_config.append(" default_backend %s" % (service_name,))
374 service_config.extend(" %s" % service_option.strip()375 service_config.extend(" %s" % service_option.strip()
375376
=== modified file 'hooks/tests/test_helpers.py'
--- hooks/tests/test_helpers.py 2015-08-17 12:58:35 +0000
+++ hooks/tests/test_helpers.py 2015-08-18 10:59:51 +0000
@@ -238,7 +238,7 @@
238 def test_get_listen_stanzas_with_ssl_frontend(self, load_haproxy_config):238 def test_get_listen_stanzas_with_ssl_frontend(self, load_haproxy_config):
239 load_haproxy_config.return_value = '''239 load_haproxy_config.return_value = '''
240 frontend foo-2-123240 frontend foo-2-123
241 bind 1.2.3.4:123 ssl crt /foo/bar241 bind 1.2.3.4:123 ssl crt /foo/bar no-sslv3
242 default_backend foo.internal242 default_backend foo.internal
243 frontend foo-2-234243 frontend foo-2-234
244 bind 1.2.3.5:234244 bind 1.2.3.5:234
@@ -471,9 +471,10 @@
471 server_entries=server_entries,471 server_entries=server_entries,
472 service_crts=crts)472 service_crts=crts)
473473
474 crt_path = '/var/lib/haproxy/service_foo/0.pem'
474 expected = '\n'.join((475 expected = '\n'.join((
475 'frontend haproxy-2-443',476 'frontend haproxy-2-443',
476 ' bind 1.2.3.4:443 ssl crt /var/lib/haproxy/service_foo/0.pem',477 ' bind 1.2.3.4:443 ssl crt %s no-sslv3' % crt_path,
477 ' default_backend foo',478 ' default_backend foo',
478 '',479 '',
479 'backend foo',480 'backend foo',

Subscribers

People subscribed via source and target branches

to all changes: