Project

General

Profile

Feature #35629

Default Apache to use system ciphers via PROFILE=system

Added by Ewoud Kohl van Wijngaarden about 2 months ago. Updated 1 day ago.

Status:
Closed
Priority:
Normal
Category:
foreman-installer script
Target version:
-

Description

At least on EL8 it's possible to use PROFILE=system for SSLCipherSuite and SSLProxyCipherSuite. This allows admins to configure the cipher suite on a system level and it also means we don't have to keep our cipher suite up to date.

Associated revisions

Revision 8472875d (diff)
Added by Ewoud Kohl van Wijngaarden about 1 month ago

Fixes #35629 - Default Apache to PROFILE=system ciphers

At least on EL8 it's possible to use PROFILE=system for SSLCipherSuite
and SSLProxyCipherSuite. This allows admins to configure the cipher
suite on a system level and it also means we don't have to keep our
cipher suite up to date.

Today SSLProxyCipherSuite is not yet an option, but Hiera will ignore
unknown keys. When the option becomes available, it will be set.

Revision 7e35242e (diff)
Added by Ewoud Kohl van Wijngaarden about 1 month ago

Refs #35629 - Use the correct cipher profile

Fixes: 8472875da9a6b94c8c5dd3696d697e671934afc1

Revision 899eea85 (diff)
Added by Ewoud Kohl van Wijngaarden about 1 month ago

Refs #35629 - Use built in Apache defaults on EL

Currently unreleased, but puppetlabs/apache will respect the EL8
defaults. It follows the system level configuration for TLS protocols,
which out of the box is TLSv1.2 & TLSv1.3.

It still keeps stricter security on Debian since there the default still
allows TLSv1.1 and some sub-optimal ciphers.

Revision ed50daee (diff)
Added by Ewoud Kohl van Wijngaarden about 1 month ago

Refs #35629 - Switch back to puppetlabs/apache releases

8.3.0 was released with the features we need.

History

#1 Updated by The Foreman Bot about 2 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-installer/pull/814 added

#2 Updated by Ewoud Kohl van Wijngaarden about 2 months ago

  • Bugzilla link set to 2134436

#3 Updated by The Foreman Bot about 1 month ago

  • Fixed in Releases 3.5.0 added

#4 Updated by Ewoud Kohl van Wijngaarden about 1 month ago

  • Status changed from Ready For Testing to Closed

#5 Updated by The Foreman Bot about 1 month ago

  • Pull request https://github.com/theforeman/foreman-installer/pull/816 added

#6 Updated by The Foreman Bot about 1 month ago

  • Pull request https://github.com/theforeman/foreman-installer/pull/817 added

#7 Updated by The Foreman Bot about 1 month ago

  • Pull request https://github.com/theforeman/foreman-installer/pull/818 added

#8 Updated by Ewoud Kohl van Wijngaarden 1 day ago

  • Triaged changed from No to Yes
  • Category set to foreman-installer script

Also available in: Atom PDF