Comment 4 for bug 1892450

Thanks nobuto, I was not aware of that specific bug, and I'm glad we're all on the same page as to how this should be addressed :)

I'm glad that this has been potentially addressed in charmhelpers. I believe that all charms using apache2 will also need these fixes to address this, as this issue exists also outside of the dashboard. I'm glad that you and Yoshi have done that work. There is also the case of the nova-vnc-proxy which handles this, Xav has already mentioned this is soon to be configurable in nova itself, but this needs associated charm work to ship a good practice configuration as well, as I do not understand this to be using the same TLS-termination which is used in other charms.

Essentially, I believe a thorough review of all charms which expose TLS endpoints is needed to ensure that the Cipher list and version configuration meets current industry security good practice. Until this is done, these issues will continue to arise when charmed-OpenStack environments are scanned for security compliance.