Exclude anonymous cipher suites from Cobbler SSL configuration

The server used to be configured to support anonymous cipher suites with no key authentication. These ciphers are highly vulnerable to man in the middle attacks. New configuration applies only strong cipher suites on SSL server. Change-Id: I8ecac040a77614fd78188995a873b85c94781411 Closes-Bug: #1646761
2017-03-31 13:44:55 +03:00 · 2017-03-31 13:44:55 +03:00 · 42ebf728a8
parent 5fe47abd52
commit 42ebf728a8
2 changed files with 2 additions and 4 deletions
--- a/deployment/puppet/cobbler/templates/httpd_ssl_2.2.conf.erb
+++ b/deployment/puppet/cobbler/templates/httpd_ssl_2.2.conf.erb
@ -101,7 +101,7 @@ SSLHonorCipherOrder on
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If
@ -226,4 +226,3 @@ CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 </VirtualHost>
-
--- a/deployment/puppet/cobbler/templates/httpd_ssl_2.4.conf.erb
+++ b/deployment/puppet/cobbler/templates/httpd_ssl_2.4.conf.erb
@ -101,7 +101,7 @@ SSLHonorCipherOrder on
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If
@ -226,4 +226,3 @@ CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 </VirtualHost>
-