HTTPS Apache Config
The apache config currently accepts tls 1.0 and 1.1 which should be disabled to meet current standards. tls 1.2 should be the only accepted protocol.
@astrugatch Yeah, probably a good idea. We’d need to do extensive testing on this. E.g. iPXE boot, fog-client, storage nodes (php curl calls) and so on.
PS: Moved to feature request.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
added to the virtual host automatically when the ./installfog.sh -S is run just like
SSLEngine on SSLCertificateFile /path/to/signed_cert_and_intermediate_certs SSLCertificateKeyFile /path/to/private_key
is automatically added. I guess this is less a bug than a feature request geared toward security
I opened this up in github, but was posting it here to have a wider discussion for those that don’t visit github.
So what recommended changes are you proposing to disable tls 1.0 and 1.1? This isn’t exactly a bug since its up to the FOG Admin to properly secure their servers.