Exclude anonymous cipher suites from Cobbler SSL configuration

The server used to be configured to support anonymous cipher suites
with no key authentication. These ciphers are highly vulnerable
to man in the middle attacks.

New configuration applies only strong cipher suites on SSL server.

Change-Id: I8ecac040a77614fd78188995a873b85c94781411
Closes-Bug: #1646761
This commit is contained in:
Sergii Rizvan 2017-03-31 13:44:55 +03:00
parent 3db29e88af
commit c8f0798a10
2 changed files with 2 additions and 3 deletions

View File

@ -60,7 +60,7 @@ class cobbler::apache {
],
custom_fragment => '
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"',
ssl_cipher => 'ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH',
ssl_cipher => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS',
setenvif => ['User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0'],
}
}

View File

@ -102,7 +102,7 @@ describe "cobbler::apache" do
:ssl_cert => "/var/lib/fuel/keys/master/cobbler/cobbler.crt",
:ssl_key => "/var/lib/fuel/keys/master/cobbler/cobbler.key",
:rewrites => ssl_rewrites,
:ssl_cipher => "ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH",
:ssl_cipher => "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS",
:setenvif => ["User-Agent \".*MSIE.*\" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0"],
)
end
@ -119,4 +119,3 @@ describe "cobbler::apache" do
end
end