Bug #20282: Provide a more secure apache ssl.conf sslciphersuite configuration on by default - Installer - Foreman

Bug #20282

Provide a more secure apache ssl.conf sslciphersuite configuration on by default

Added by Tomer Brisker over 5 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tomer Brisker

Category:

Target version:

1.15.3

Difficulty:

Triaged:

Bugzilla link:

1467434

Pull request:

https://github.com/theforeman/foreman-installer/pull/237, https://github.com/theforeman/foreman-installer/pull/236

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

Set the default ciphesuites for apache to a stronger setting then the default provided by the puppet module.

Associated revisions

Revision 267653fa (diff)
Added by Tomer Brisker over 5 years ago

Fixes #20282, #14667 - Provide more secure defaults for apache (#236)

This sets the default ciphersuites to the recommended for the time of
writing for the supported servers and browsers. This also disables
TRACE method, which is not a security vulnerability but comes up often
in automated security audits and isn't required for proper functioning
of Foreman.

Revision aea07409 (diff)
Added by Michael Moll over 5 years ago

Refs #20282 - add more ciphers (#237)

The list got cut off in the initial PR.

The JRE coming with Debian/jessie exposed problems with Puppetserver,
delivering reports to Foreman with the original cipher list.

History

#1 Updated by Ewoud Kohl van Wijngaarden over 5 years ago

Subject changed from Provide a more secure apache ssl.conf sslciphersuite configuration on by default to Provide a more secure apache ssl.conf sslciphersuite configuration on by default
Status changed from New to Need more information

We could use the modern cipher suite from https://mozilla.github.io/server-side-tls/ssl-config-generator/ but could you be a bit more specific? The linked bugzilla is not public.

#2 Updated by Tomer Brisker over 5 years ago

yes, https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.6&openssl=1.0.1e&hsts=no&profile=intermediate should work for all our supported servers and browsers.

#3 Updated by Tomer Brisker over 5 years ago

Status changed from Need more information to New

#4 Updated by The Foreman Bot over 5 years ago

Status changed from New to Ready For Testing
Assignee set to Tomer Brisker
Pull request https://github.com/theforeman/foreman-installer/pull/236 added

#5 Updated by Anonymous over 5 years ago

Status changed from Ready For Testing to Closed
% Done changed from 0 to 100

Applied in changeset 267653fadea7f443396ecf1443777dc5f6748ba4.

#6 Updated by Eric Helms over 5 years ago

Legacy Backlogs Release (now unused) set to 276

#7 Updated by The Foreman Bot over 5 years ago

Pull request https://github.com/theforeman/foreman-installer/pull/237 added

Also available in: Atom PDF

Project

General

Profile

Foreman » Installer

Issues

Custom queries