Refining rule to remove weak ciphers from lighttpd
This review will be refining https ciphers rule, for lighttpd service on port 8443, to avoid the useof ciphers considered weak based on the NIST list. The ciphers excluded are the ones that use CBC, CAMELLIA, ARIA and 3DES encryption mode, and any cipher that uses SHA1. The ciphers that will be used by https: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - TLS_AES_256_GCM_SHA384 (ecdh_x25519) - TLS_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - TLS_AES_128_GCM_SHA256 (ecdh_x25519) Test Plan: PASS: Run build-pkgs -c -p puppet-manifests. PASS: Enable https and run nmap to verify if only the listed ciphers are returned. PASS: Run build-image. PASS: Run bootstrap playbook. PASS: Unlock controller-0. PASS: Enable https and access horizon via browser using https. PASS: Disable https and access horizon via browser using http. Closes-Bug: 2054813 Change-Id: Ib21eb1155540f820a77ee7f7b9203663038ab69b Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
This commit is contained in:
parent
8f4a787df0
commit
075a39e1a2
|
@ -257,7 +257,7 @@ $SERVER["socket"] == ":<%= @https_port %>" {
|
|||
ssl.ca-file = "/etc/ssl/private/server-cert.pem"
|
||||
ssl.use-sslv2 = "disable"
|
||||
ssl.use-sslv3 = "disable"
|
||||
ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!DES:!MD5:!PSK:!RC4:!EDH-RSA-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!DES-CBC3-SHA:!AES128-SHA:!AES256-SHA:!DHE-DSS-AES128-SHA:!DHE-DSS-AES256-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA"
|
||||
ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!TLSv1.1:!SHA1:!3DES:!ARIA:!SHA256:!SHA384:!DES:!CAMELLIA:!MD5:!PSK:!RC4:!AES256-GCM-SHA384:!AES256-CCM8:!AES256-CCM:!AES128-GCM-SHA256:!AES128-CCM8:!AES128-CCM"
|
||||
}
|
||||
|
||||
$SERVER["socket"] == "[::]:<%= @https_port %>" {
|
||||
|
@ -266,7 +266,7 @@ $SERVER["socket"] == "[::]:<%= @https_port %>" {
|
|||
ssl.ca-file = "/etc/ssl/private/server-cert.pem"
|
||||
ssl.use-sslv2 = "disable"
|
||||
ssl.use-sslv3 = "disable"
|
||||
ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!DES:!MD5:!PSK:!RC4:!EDH-RSA-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!DES-CBC3-SHA:!AES128-SHA:!AES256-SHA:!DHE-DSS-AES128-SHA:!DHE-DSS-AES256-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!DHE-DSS-CAMELLIA128-SHA:!DHE-DSS-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA"
|
||||
ssl.cipher-list = "ALL:!aNULL:!eNULL:!EXPORT:!TLSv1:!TLSv1.1:!SHA1:!3DES:!ARIA:!SHA256:!SHA384:!DES:!CAMELLIA:!MD5:!PSK:!RC4:!AES256-GCM-SHA384:!AES256-CCM8:!AES256-CCM:!AES128-GCM-SHA256:!AES128-CCM8:!AES128-CCM"
|
||||
}
|
||||
<% else %>
|
||||
###
|
||||
|
|
Loading…
Reference in New Issue