Feature #31387
closed
Tracker #31386: Default to TLS 1.2+
Disable TLS 1.0 and 1.1 by default in Apache
Description
Clients needing these old versions are going EOL. The ecosystem is ready for TLS 1.2+ by default. This makes it easier for organizations to comply with PCI-DSS and similar stricter policies.
For those that still need older versions, it will be possible to override this via custom-hiera.yaml.
Updated by The Foreman Bot over 3 years ago
- Status changed from New to Ready For Testing
- Assignee set to Ewoud Kohl van Wijngaarden
- Pull request https://github.com/theforeman/foreman-installer/pull/619 added
Updated by Besmir Zanaj over 3 years ago
- Found in Releases 1.24.3 added
Having the same issue and system does not pass PCI audit.
What would be the easiest/safest way to disable other than manually changing apache settings?
[root@HOST ~]# nmap --script ssl-enum-ciphers -p 443 foreman.domain.com Starting Nmap 6.40 ( http://nmap.org ) at 2020-12-12 23:28 GMT Nmap scan report for foreman.domain.com (x.x.x.x) Host is up (0.0011s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | compressors: | NULL |_ least strength: strong
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
- Target version set to 2.4.0
First of all, update to a supported version. Currently that's 2.2 and 2.3. Version 2.0 or 2.1 (I forgot exactly which one) fixes TLS 1.2+ by default for Foreman Proxy. Then you can also add the line from the patch to /etc/foreman-installer/custom-hiera.yaml and rerun the installer.
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset installer|06533f71557c663fbaad2cc28b93520604c12201.
Updated by Ewoud Kohl van Wijngaarden about 3 years ago
- Category changed from Foreman modules to foreman-installer script
- Triaged changed from No to Yes