Should Charms disable SSLv3 and RC4?
Mark Shuttleworth
mark at ubuntu.com
Tue Mar 29 09:55:15 UTC 2016
On 28/03/16 21:33, Bryan Quigley wrote:
> Right now if you deploy juju-gui or openstack-dashboard (and likely
> many more) they will follow the 14.04 default and have SSLv3 and RC4
> enabled. In both cases this can make the communication insecure.
>
> 1) Should we default SSLv3/RC4 to disabled in charms that we know we can?
>
> For example, last I checked the OpenStack dashboard does not support
> IE6, so we don't need SSLv3 support.
Yes, I'd say at the level f a specific set of charms (like the OpenStack
ones) this is a straightforward +1 since we can anticipate the client
capabilities (browsers and REST API client libraries).
> 2) Should every charm that includes a web server let you override
> SSLOptions with a specific option? This is likely to happen again,
> and maybe next time we won't be able to just disable them.
Seems like a useful convention, but not a requirement given that the
underlying software will use different terms to express supported
options. Perhaps in future it would be useful to have a convention for
this that we encourage charmers to follow, with layers for the common
stacks.
Mark
More information about the Juju
mailing list