(PUP-2582) Update apache vhost SSL settings
05af20b70b5aUnpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

(PUP-2582) Update apache vhost SSL settings

Previously the apache vhost defined an SSLCipherSuite which included
several weak ciphers. This commit disables the following algorithms:
aNULL, eNULL, DES, 3DES, IDEA, SEED, DSS, PSK, RC4, MD5

Second, previously LOW, SSLv2, and EXP were removed, but not
killed from the list, which meant that they could be added again in
subsequent declarations.

Third, ALL:!ADH meant that AECDH was enabled. This commit uses !aNULL
to disable all anonymous authentication algorithms. It also explicitly
specifies !eNULL (anonymous encryption algorithms).

Fourth, we were only enabling SSLv3 and TLSv1, but not TLSv1.1 or
TLSv1.2. TLSv1.2 protects against attacks known to work against SSLv3
and TLSv1.0.

Finally, SSLHonorCipherOrder is set to on, because certain clients do
not send ciphers in the correct preferred order, and this setting will
help mitigate that problem.

Thanks to Aaron Zauner <azet@azet.org> for bringing this to our attention.

Details

Provenance

Matthaus Owens <matthaus@puppetlabs.com>	Authored on
Josh Cooper <josh@puppetlabs.com>	Committed on May 16 2014, 12:59 AM
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPUfea22be6a957: (packaging) Update PUPPETVERSION to 3.6.0

Branches

Unknown

Tags

Unknown

Event Timeline

Josh Cooper <josh@puppetlabs.com> committed rPU05af20b70b5a: (PUP-2582) Update apache vhost SSL settings (authored by Matthaus Owens <matthaus@puppetlabs.com>).May 16 2014, 12:59 AM

Changes (1)

Path

Size

ext/

rack/

example-passenger-vhost.conf

rPU05af20b70b5a

View Options

ext/rack/example-passenger-vhost.conf

(PUP-2582) Update apache vhost SSL settings05af20b70b5aUnpublishedActions