Exclude anonymous cipher suites from Cobbler SSL configuration

The server used to be configured to support anonymous cipher suites with no key authentication. These ciphers are highly vulnerable to man in the middle attacks. New configuration applies only strong cipher suites on SSL server. Change-Id: I8ecac040a77614fd78188995a873b85c94781411 Closes-Bug: #1646761
2017-03-31 13:44:55 +03:00 · 2017-03-31 13:44:55 +03:00 · 7875c960ac
parent 3f01bb9d23
commit 7875c960ac
2 changed files with 2 additions and 3 deletions
--- a/deployment/puppet/cobbler/manifests/apache.pp
+++ b/deployment/puppet/cobbler/manifests/apache.pp
@ -60,7 +60,7 @@ class cobbler::apache {
    ],
    custom_fragment => '
      CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"',
-    ssl_cipher      => 'ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH',
+    ssl_cipher      => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS',
    setenvif        => ['User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0'],
  }
 }
--- a/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb
+++ b/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb
@ -102,7 +102,7 @@ describe "cobbler::apache" do
            :ssl_cert => "/var/lib/fuel/keys/master/cobbler/cobbler.crt",
            :ssl_key => "/var/lib/fuel/keys/master/cobbler/cobbler.key",
            :rewrites => ssl_rewrites,
-            :ssl_cipher => "ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH",
+            :ssl_cipher => "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS",
            :setenvif => ["User-Agent \".*MSIE.*\" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0"],
        )
      end
@ -119,4 +119,3 @@ describe "cobbler::apache" do
  end

 end
-