Browse Source

Specify ciphers that optimize for security and performance

* Prefer the ECDHE + AESGCM ciper suites first, these represent the
  best performance and the best security.
* Then, prefer the DH + AESGCM, these are equivilant to the first in
  terms of security, however they are slower.
* Then, we'll prefer any AES cipher that supports PFS, sorting by
  strength, then performance.
* Then we'll prefer any non PFS cipher, with AESGCM first, but finally
  any another non PFS cipher.
* We then exclude any AES256 ciphers, we exclude there here instead of
  just not mentioning them so that they can be renabled simply by
  removing the !AES256. We exclude them because they are not
  meaningfully more secure than AES128, however they are slower.
* We then exclude !aNULL, this is needed because we're not manually
  specifying every cipher by name, and we're not specifying any
  authentication. This will ensure that no matter what we'll always
  have *some* authentication.
* We then exclude !eNULL, this isn't really needed since all of our
  included ciphers have encryption specified. It exists primarily for
  symmetry with !aNULL.
* We then exclude !MD5, much like !aNULL this is done because we don't
  specify a digest anywhere, so we want to make sure we don't support
  MD5.
* Finally we exclude DSS, PSK, and SRP. These are just to make
  debugging the list easier. It's basically impossible to get a DSS
  certificate issued instead of a RSA certificate and nobody really
  uses PSK or SRP.

This will drop support for IE8 on Windows XP, essentially dropping
support for all versions of IE on Windows XP. Windows XP users
would need to use Firefox or Chrome to use the service.

Change-Id: I4744a6f42b8f7ab4a4b41ad856ecaa424d8ce3fc
Donald Stufft 4 years ago
parent
commit
489b7ba022
1 changed files with 5 additions and 0 deletions
  1. 5
    0
      templates/vhost.erb

+ 5
- 0
templates/vhost.erb View File

@@ -21,6 +21,11 @@
21 21
 
22 22
   SSLEngine on
23 23
   SSLProtocol All -SSLv2 -SSLv3
24
+  # Once the machine is using something to terminate TLS that supports ECDHE
25
+  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
26
+  # only is guarenteed.
27
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
28
+  SSLHonorCipherOrder on
24 29
   SSLCertificateFile      <%= scope.lookupvar("openstackid::ssl_cert_file") %>
25 30
   SSLCertificateKeyFile   <%= scope.lookupvar("openstackid::ssl_key_file") %>
26 31
 <% if scope.lookupvar("openstackid::ssl_chain_file") != "" %>

Loading…
Cancel
Save