Switch to TLSv1 as SSLv3 is considered insecure and is disabled by de…

…fault Rabbitmq won't talk to us anymore if we try to use SSLv3 as it disabled support for SSLv3. Openstack components use python's openssl implementation which does not support TLSv1.1 and TLSv1.2 yet so we just switch to TLSv1. Support for newer TLS should come with python 2.7.9+ Closes-Bug: #1409667 Change-Id: I949421cd092a31eab3ef7f2194c4da3a9dbac818 (cherry picked from commit c231da8de6d3ef14a23259d1d8e05c7b6c6d83ba)
xbezdick · Jan 13, 2015 · ef2f067 · ef2f067
1 parent b1e9e9b
commit ef2f067
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -70,7 +70,7 @@
 #   (Optional) SSL version to use (valid only if SSL enabled).
 #   Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
 #   available on some distributions.
-#   Defaults to 'SSLv3'
+#   Defaults to 'TLSv1'
 #
 # [*amqp_durable_queues*]
 #   (Optional) Use durable queues in amqp.
@@ -174,7 +174,7 @@
   $kombu_ssl_ca_certs          = undef,
   $kombu_ssl_certfile          = undef,
   $kombu_ssl_keyfile           = undef,
-  $kombu_ssl_version           = 'SSLv3',
+  $kombu_ssl_version           = 'TLSv1',
   $amqp_durable_queues         = false,
   $qpid_hostname               = 'localhost',
   $qpid_port                   = 5672,

diff --git a/spec/classes/heat_init_spec.rb b/spec/classes/heat_init_spec.rb
@@ -254,7 +254,7 @@
         :kombu_ssl_ca_certs => '/path/to/ssl/ca/certs',
         :kombu_ssl_certfile => '/path/to/ssl/cert/file',
         :kombu_ssl_keyfile  => '/path/to/ssl/keyfile',
-        :kombu_ssl_version  => 'SSLv3'
+        :kombu_ssl_version  => 'TLSv1'
       )
     end
 
@@ -263,7 +263,7 @@
       should contain_heat_config('DEFAULT/kombu_ssl_ca_certs').with_value('/path/to/ssl/ca/certs')
       should contain_heat_config('DEFAULT/kombu_ssl_certfile').with_value('/path/to/ssl/cert/file')
       should contain_heat_config('DEFAULT/kombu_ssl_keyfile').with_value('/path/to/ssl/keyfile')
-      should contain_heat_config('DEFAULT/kombu_ssl_version').with_value('SSLv3')
+      should contain_heat_config('DEFAULT/kombu_ssl_version').with_value('TLSv1')
     end
   end
 
@@ -279,15 +279,15 @@
       should contain_heat_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent')
       should contain_heat_config('DEFAULT/kombu_ssl_certfile').with_ensure('absent')
       should contain_heat_config('DEFAULT/kombu_ssl_keyfile').with_ensure('absent')
-      should contain_heat_config('DEFAULT/kombu_ssl_version').with_value('SSLv3')
+      should contain_heat_config('DEFAULT/kombu_ssl_version').with_value('TLSv1')
     end
   end
 
   shared_examples_for 'with SSL disabled' do
     before do
       params.merge!(
         :rabbit_use_ssl     => false,
-        :kombu_ssl_version  => 'SSLv3'
+        :kombu_ssl_version  => 'TLSv1'
       )
     end