Use only approved TLS1.2 FIPS cipher suites (libvirt) * ECDHE-RSA-AES256-GCM-SHA384 * ECDHE-ECDSA-AES256-GCM-SHA384 * ECDHE-RSA-AES256-SHA384 * ECDHE-ECDSA-AES256-SHA384 Change-Id: Ib213f9eaffedee6bad302e598d0a5bf6d452815c Related-Prod: PROD-27620

commit: 50fe7d41fc8399361d1cd0ac17eb94f757aa2dd0 [log] [tgz]
author: Dmitry Teselkin <dteselkin@mirantis.com> Thu Apr 18 16:52:17 2019 +0300
committer: Dmitry Teselkin <dteselkin@mirantis.com> Fri Apr 26 10:46:50 2019 +0000
tree: 8f98d5638b820ebb7c40cb829c1346899e7820f1
parent: b0fa740de56c7d42b3ce3e61112c479813e28080 [diff]
diff --git a/nova/compute/libvirt/ssl/init.yml b/nova/compute/libvirt/ssl/init.yml
index 4523183..6e29e07 100644
--- a/nova/compute/libvirt/ssl/init.yml
+++ b/nova/compute/libvirt/ssl/init.yml

@@ -16,6 +16,7 @@
           cert_file: ${_param:libvirtd_server_ssl_cert_file}
           ca_file: ${_param:libvirtd_ssl_ca_file}
           allowed_dn_list: ${_param:nova_compute_libvirt_allowed_dn_list}
+          priority: "SECURE256:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:-CIPHER-ALL:+AES-256-GCM:+AES-256-CBC:-MAC-ALL:+AEAD:+SHA384"
           client:
             key_file: ${_param:libvirtd_client_ssl_key_file}
             cert_file: ${_param:libvirtd_client_ssl_cert_file}
commit	50fe7d41fc8399361d1cd0ac17eb94f757aa2dd0	[log] [tgz]
author	Dmitry Teselkin <dteselkin@mirantis.com>	Thu Apr 18 16:52:17 2019 +0300
committer	Dmitry Teselkin <dteselkin@mirantis.com>	Fri Apr 26 10:46:50 2019 +0000
tree	8f98d5638b820ebb7c40cb829c1346899e7820f1
parent	b0fa740de56c7d42b3ce3e61112c479813e28080 [diff]