From c8f0798a1079e098d9da83273c5ad53755fbcaf2 Mon Sep 17 00:00:00 2001
From: Sergii Rizvan <srizvan@mirantis.com>
Date: Fri, 31 Mar 2017 13:44:55 +0300
Subject: [PATCH] Exclude anonymous cipher suites from Cobbler SSL
 configuration

The server used to be configured to support anonymous cipher suites
with no key authentication. These ciphers are highly vulnerable
to man in the middle attacks.

New configuration applies only strong cipher suites on SSL server.

Change-Id: I8ecac040a77614fd78188995a873b85c94781411
Closes-Bug: #1646761
---
 deployment/puppet/cobbler/manifests/apache.pp                 | 2 +-
 deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/deployment/puppet/cobbler/manifests/apache.pp b/deployment/puppet/cobbler/manifests/apache.pp
index 4bba28c157..452b79b2b6 100644
--- a/deployment/puppet/cobbler/manifests/apache.pp
+++ b/deployment/puppet/cobbler/manifests/apache.pp
@@ -60,7 +60,7 @@ class cobbler::apache {
     ],
     custom_fragment => '
       CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"',
-    ssl_cipher      => 'ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH',
+    ssl_cipher      => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS',
     setenvif        => ['User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0'],
   }
 }
diff --git a/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb b/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb
index 2eacda143a..699e0dee08 100644
--- a/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb
+++ b/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb
@@ -102,7 +102,7 @@ describe "cobbler::apache" do
             :ssl_cert => "/var/lib/fuel/keys/master/cobbler/cobbler.crt",
             :ssl_key => "/var/lib/fuel/keys/master/cobbler/cobbler.key",
             :rewrites => ssl_rewrites,
-            :ssl_cipher => "ALL:!ADH:!EXPORT:!SSLv2:!MEDIUM:!LOW:+HIGH",
+            :ssl_cipher => "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS",
             :setenvif => ["User-Agent \".*MSIE.*\" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0"],
         )
       end
@@ -119,4 +119,3 @@ describe "cobbler::apache" do
   end
 
 end
-