HTTPS Apache Config



  • The apache config currently accepts tls 1.0 and 1.1 which should be disabled to meet current standards. tls 1.2 should be the only accepted protocol.


  • Developer

    @astrugatch Yeah, probably a good idea. We’d need to do extensive testing on this. E.g. iPXE boot, fog-client, storage nodes (php curl calls) and so on.

    PS: Moved to feature request.



  • @george1421

    To have:

    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    

    added to the virtual host automatically when the ./installfog.sh -S is run just like

        SSLEngine on
        SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs
        SSLCertificateKeyFile   /path/to/private_key
    

    is automatically added. I guess this is less a bug than a feature request geared toward security

    I opened this up in github, but was posting it here to have a wider discussion for those that don’t visit github.


  • Moderator

    So what recommended changes are you proposing to disable tls 1.0 and 1.1? This isn’t exactly a bug since its up to the FOG Admin to properly secure their servers.


Log in to reply
 

370
Online

6.6k
Users

14.0k
Topics

132.3k
Posts