Disallow SSLv2, SSLv3 and TLS1.0 in mysql for FedRAMP compliance
We cannot disable a specific protocol when using SSL in mysql, so in order to
enforce TLS1.1 or greater, we disallow all ciphers provided by SSLv2 SSLv3 and
TLS1.0.
Galera group communication cannot be configured with a list of available
ciphers, so configure gcomm to use AES128-SHA256, which seems to be the closest
from the default AES128-SHA.
Inherit the cipher list settings for the rsync SST.
Related-Bug: #1754368
Change-Id: Ib3625020e60665f91b9009e7f06b9b25a6970a9b
(cherry picked from commit 1c46f6e1cd6fbaee688e153422a951acfbdaf4f6)
Reviewed: https:/ /review. openstack. org/566509 /git.openstack. org/cgit/ openstack/ puppet- tripleo/ commit/ ?id=d00d6d1c0df e882280a7cc94eb 219d54be5e5ef3
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit d00d6d1c0dfe882 280a7cc94eb219d 54be5e5ef3
Author: Damien Ciabrini <email address hidden>
Date: Fri Apr 27 12:37:07 2018 -0400
Disallow SSLv2, SSLv3 and TLS1.0 in mysql for FedRAMP compliance
We cannot disable a specific protocol when using SSL in mysql, so in order to
enforce TLS1.1 or greater, we disallow all ciphers provided by SSLv2 SSLv3 and
TLS1.0.
Galera group communication cannot be configured with a list of available
ciphers, so configure gcomm to use AES128-SHA256, which seems to be the closest
from the default AES128-SHA.
Inherit the cipher list settings for the rsync SST.
Related-Bug: #1754368
Change-Id: Ib3625020e60665 f91b9009e7f06b9 b25a6970a9b e688e153422a951 acfbdaf4f6)
(cherry picked from commit 1c46f6e1cd6fbae