2017-11-13 13:27:21 +00:00 · 2017-11-13 13:27:21 +00:00 · 7ab9004ff9
parent ff1e7b994c
commit 7ab9004ff9
3 changed files with 4 additions and 7 deletions
--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@ -659,7 +659,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 ### SSL settings
 # See https://www.postgresql.org/docs/9.6/static/runtime-config-connection.html#GUC-SSL-CERT-FILE for more details
 # postgresql['ssl'] = 'off'
-# postgresql['ssl_ciphers'] = nil
+# postgresql['ssl_ciphers'] = 'HIGH:MEDIUM:+3DES:!aNULL:!SSLv3:!TLSv1'
 # postgresql['ssl_cert_file'] = 'server.crt'
 # postgresql['ssl_key_file'] = 'server.key'
 # postgresql['ssl_ca_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@ -379,7 +379,7 @@ default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = []
 default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = []

 default['gitlab']['postgresql']['ssl'] = 'off'
-default['gitlab']['postgresql']['ssl_ciphers'] = nil
+default['gitlab']['postgresql']['ssl_ciphers'] = 'HIGH:MEDIUM:+3DES:!aNULL:!SSLv3:!TLSv1'
 default['gitlab']['postgresql']['ssl_cert_file'] = 'server.crt'
 default['gitlab']['postgresql']['ssl_key_file'] = 'server.key'
 default['gitlab']['postgresql']['ssl_ca_file'] = "#{node['package']['install-dir']}/embedded/ssl/certs/cacert.pem"
--- a/spec/chef/recipes/postgresql_spec.rb
+++ b/spec/chef/recipes/postgresql_spec.rb
@ -74,9 +74,6 @@ describe 'postgresql 9.2' do
        expect(chef_run).to render_file(
          postgresql_conf
        ).with_content(/ssl = off/)
-        expect(chef_run).not_to render_file(
-          postgresql_conf
-        ).with_content(/ssl_ciphers = /)
      end

      it 'activates SSL' do
@ -88,9 +85,9 @@ describe 'postgresql 9.2' do
        expect(chef_run).to render_file(
          postgresql_conf
        ).with_content(/ssl = on/)
-        expect(chef_run).not_to render_file(
+        expect(chef_run).to render_file(
          postgresql_conf
-        ).with_content(/ssl_ciphers = /)
+        ).with_content(%r{ssl_ciphers = 'HIGH:MEDIUM:\+3DES:!aNULL:!SSLv3:!TLSv1'})
        expect(chef_run).to render_file(
          postgresql_conf
        ).with_content(/ssl_cert_file = 'server.crt'/)