Provide a more secure apache ssl.conf sslciphersuite configuration on by default
|Assigned To:||Tomer Brisker|
|Found in release:||Pull request:||https://github.com/theforeman/foreman-installer/pull/236, https://github.com/theforeman/foreman-installer/pull/237|
|Velocity based estimate||-|
Set the default ciphesuites for apache to a stronger setting then the default provided by the puppet module.
This sets the default ciphersuites to the recommended for the time of
writing for the supported servers and browsers. This also disables
TRACE method, which is not a security vulnerability but comes up often
in automated security audits and isn't required for proper functioning
#1 Updated by Ewoud Kohl van Wijngaarden 8 months ago
- Subject changed from Provide a more secure apache ssl.conf sslciphersuite configuration on by default to Provide a more secure apache ssl.conf sslciphersuite configuration on by default
- Status changed from New to Need more information
We could use the modern cipher suite from https://mozilla.github.io/server-side-tls/ssl-config-generator/ but could you be a bit more specific? The linked bugzilla is not public.
#2 Updated by Tomer Brisker 8 months ago
yes, https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.6&openssl=1.0.1e&hsts=no&profile=intermediate should work for all our supported servers and browsers.