Add SSL options for noVNC/websockify console
implemented in Queens only for now.
Change-Id: I59936257474acfdb666003841985f5cd1a2fd6ec
Related-Issue: PROD-27619
diff --git a/nova/files/queens/nova-controller.conf.Debian b/nova/files/queens/nova-controller.conf.Debian
index e9e49bb..6d731fc 100644
--- a/nova/files/queens/nova-controller.conf.Debian
+++ b/nova/files/queens/nova-controller.conf.Debian
@@ -3049,6 +3049,12 @@
ssl_only=True
cert={{controller.novncproxy.tls.server.cert_file|yaml_squote}}
key={{controller.novncproxy.tls.server.key_file|yaml_squote}}
+{%- if controller.novncproxy.tls.version is defined %}
+ssl_version={{controller.novncproxy.tls.version}}
+{%- endif %}
+{% if controller.novncproxy.tls.ciphers is defined %}
+ssl_ciphers={{controller.novncproxy.tls.ciphers|join(',')}}
+{%- endif %}
{%- endif %}
# Set to True if source host is addressed with IPv6. (boolean value)
@@ -3060,6 +3066,23 @@
# SSL key file (if separate from cert). (string value)
#key = <None>
+# List of SSL ciphers allowed for novnc connection.
+# For a list of supported ciphers run `openssl ciphers`.
+# (list value)
+#ssl_ciphers=
+
+# SSL version for novnc console.
+# Depending on your Python version the actually available version
+# may not be the maximal one. In this case graceful fallback to the most
+# recent supported version will be performed.
+# (string value)
+# Possible values:
+# default - <No description provided>
+# tlsv1_1 - <No description provided>
+# tlsv1_2 - <No description provided>
+# tlsv1_3 - <No description provided>
+#ssl_version=default
+
#
# Path to directory with content which will be served by a web server.
# (string value)