https://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422015-07-09T00:47:12ZDuckCorp ProjectsDuckCorp Infrastructure - Enhancement #460: SSL/TLS: check ciphershttps://projects.duckcorp.org/issues/460?journal_id=8942015-07-09T00:47:12ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ul></ul><p>Proposition:<br /><pre>openssl ciphers 'TLSv1.2:!eNULL:!aNULL:!MD5:!DSS:!3DES:!EXP:!LOW:!MEDIUM:-ECDH:EECDH:-DH:EDH:!AES256-GCM-SHA384:!AES256-SHA256:!AES128-GCM-SHA256:!AES128-SHA256:@STRENGTH'</pre></p> DuckCorp Infrastructure - Enhancement #460: SSL/TLS: check ciphershttps://projects.duckcorp.org/issues/460?journal_id=8952015-07-09T00:49:32ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/895/diff?detail_id=1146">diff</a>)</li></ul> DuckCorp Infrastructure - Enhancement #460: SSL/TLS: check ciphershttps://projects.duckcorp.org/issues/460?journal_id=9042015-07-12T21:28:10ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>High</i></li></ul> DuckCorp Infrastructure - Enhancement #460: SSL/TLS: check ciphershttps://projects.duckcorp.org/issues/460?journal_id=9492015-09-15T17:46:51ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ul><li><strong>% Done</strong> changed from <i>0</i> to <i>50</i></li></ul><p>Configuration of Postgresql (orfeo) and Apache (thorfinn, toushirou) updated.</p>
<p>As stated in #454, Bip and minbif must be patched.</p> DuckCorp Infrastructure - Enhancement #460: SSL/TLS: check ciphershttps://projects.duckcorp.org/issues/460?journal_id=11442017-05-11T14:41:57ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Assignee</strong> set to <i>DC Admins</i></li></ul> DuckCorp Infrastructure - Enhancement #460: SSL/TLS: check ciphershttps://projects.duckcorp.org/issues/460?journal_id=12842017-06-25T12:18:18ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Security</strong> set to <i>Yes</i></li></ul><p>While working on HTTP2 support I absolutely needed a more up-to-date cipher list, see <a class="issue tracker-2 status-3 priority-3 priority-lowest closed" title="Enhancement: Test HTTP2 support for Apache (Resolved)" href="https://projects.duckcorp.org/issues/516">#516</a>. Still I would like a full-team review of these settings.</p>
<p>Here is the cipher list I found working for HTTP2 (seems PSK and maybe other ciphers are a no-go just by being present in the accepted list):<br /><pre>
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
</pre></p>
<p>Also I added these parameters on Elwing and we should review them, complement them if needed, and propagate on all web hosts:<br /><pre>
SSLHonorCipherOrder on
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLSessionTickets Off
</pre></p>
<p>We could update <em>/etc/apache2/mods-enabled/ssl.conf</em> via Ansible (even is Apache is not yet managed).</p> DuckCorp Infrastructure - Enhancement #460: SSL/TLS: check ciphershttps://projects.duckcorp.org/issues/460?journal_id=15002017-09-10T15:41:29ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>% Done</strong> changed from <i>50</i> to <i>90</i></li></ul><p>Ansibilized.</p>
<p>If there is no objection I will then close this bug and of course we'll reevaluate from time to time.</p> DuckCorp Infrastructure - Enhancement #460: SSL/TLS: check ciphershttps://projects.duckcorp.org/issues/460?journal_id=15412017-09-23T07:56:03ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Resolved</i></li><li><strong>% Done</strong> changed from <i>90</i> to <i>100</i></li></ul>