Browse Source

Exclude anonymous cipher suites from Cobbler SSL configuration

The server used to be configured to support anonymous cipher suites
with no key authentication. These ciphers are highly vulnerable
to man in the middle attacks.

New configuration applies only strong cipher suites on SSL server.

Change-Id: I8ecac040a77614fd78188995a873b85c94781411
Closes-Bug: #1646761
changes/44/452144/2
Sergii Rizvan 2 years ago
parent
commit
7261e43577

+ 1
- 1
deployment/puppet/cobbler/manifests/apache.pp View File

@@ -60,7 +60,7 @@ class cobbler::apache {
60 60
     ],
61 61
     custom_fragment => '
62 62
       CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"',
63
-    ssl_cipher      => 'ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH',
63
+    ssl_cipher      => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS',
64 64
     setenvif        => ['User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0'],
65 65
   }
66 66
 }

+ 1
- 2
deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb View File

@@ -102,7 +102,7 @@ describe "cobbler::apache" do
102 102
             :ssl_cert => "/var/lib/fuel/keys/master/cobbler/cobbler.crt",
103 103
             :ssl_key => "/var/lib/fuel/keys/master/cobbler/cobbler.key",
104 104
             :rewrites => ssl_rewrites,
105
-            :ssl_cipher => "ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH",
105
+            :ssl_cipher => "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS",
106 106
             :setenvif => ["User-Agent \".*MSIE.*\" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0"],
107 107
         )
108 108
       end
@@ -119,4 +119,3 @@ describe "cobbler::apache" do
119 119
   end
120 120
 
121 121
 end
122
-

Loading…
Cancel
Save