Allow setting tls_priority option
Add tls_priority config option to libvirtd.conf config.
libvirt-4.0.0 supports this functionality out of the box.
To fully comply with PROD-27620 priority string should be set in reclass
to the following string:
SECURE256:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:\
-CIPHER-ALL:+AES-256-GCM:+AES-256-CBC:-MAC-ALL:+AEAD:+SHA384
Also, fix some inconsistiences found:
* tests/pillar/compute_single.sls - change qemu's group name to 'nova' as
'cinder' does not exists.
Change-Id: I56a8c3726e1af274e2d2fffce8dca4501745519e
Related-Prod: PROD-27620
diff --git a/README.rst b/README.rst
index 4a3b7ac..27d6dd7 100644
--- a/README.rst
+++ b/README.rst
@@ -1108,6 +1108,59 @@
key: (certificate content)
cert: (certificate content)
+It is possible to limit allowed SSL / TLS ciphers using libvirt's tls_priority:
+
+.. code-block:: yaml
+
+ nova:
+ compute:
+ libvirt:
+ tls:
+ priority: <TLS priority string>
+
+Example priority strings are:
+
+- The system imposed security level:
+
+.. code-block:: text
+
+ "SYSTEM"
+
+- The default priority without the HMAC-MD5:
+
+.. code-block:: text
+
+ "NORMAL:-MD5"
+
+- Specifying RSA with AES-128-CBC:
+
+.. code-block:: text
+
+ "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
+
+- Specifying the defaults plus ARCFOUR-128:
+
+.. code-block:: text
+
+ "NORMAL:+ARCFOUR-128"
+
+- Enabling the 128-bit secure ciphers, while disabling TLS 1.0:
+
+.. code-block:: text
+
+ "SECURE128:-VERS-TLS1.0"
+
+- Enabling the 128-bit and 192-bit secure ciphers, while disabling all TLS
+ versions except TLS 1.2:
+
+.. code-block:: text
+
+ "SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
+
+More on TLS Priority Strings:
+
+- https://gnutls.org/manual/html_node/Priority-Strings.html
+
Controlling access by `tls_allowed_dn_list`.
Enable an access control list of client certificate Distinguished Names (DNs)
which can connect to the TLS port on this server. The default is that DNs are