tripleo

  1. Bug #1754368
  2. Comment #23

Comment 23 for bug 1754368

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/566509
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=d00d6d1c0dfe882280a7cc94eb219d54be5e5ef3
Submitter: Zuul
Branch: stable/queens

commit d00d6d1c0dfe882280a7cc94eb219d54be5e5ef3
Author: Damien Ciabrini <email address hidden>
Date: Fri Apr 27 12:37:07 2018 -0400

    Disallow SSLv2, SSLv3 and TLS1.0 in mysql for FedRAMP compliance

    We cannot disable a specific protocol when using SSL in mysql, so in order to
    enforce TLS1.1 or greater, we disallow all ciphers provided by SSLv2 SSLv3 and
    TLS1.0.

    Galera group communication cannot be configured with a list of available
    ciphers, so configure gcomm to use AES128-SHA256, which seems to be the closest
    from the default AES128-SHA.

    Inherit the cipher list settings for the rsync SST.

    Related-Bug: #1754368

    Change-Id: Ib3625020e60665f91b9009e7f06b9b25a6970a9b
    (cherry picked from commit 1c46f6e1cd6fbaee688e153422a951acfbdaf4f6)