SSL cipher changes (issue 859) #909
Conversation
|
https://mozilla.github.io/server-side-tls/ssl-config-generator/ still enables TLSv1 on the intermediate profile which I think is a good default for the module. Have you checked this against https://www.ssllabs.com/ as well? Did it give an A rating? |
|
@ekohl: I didn't have an easy and quick way to expose a test box using the Puppet generated config to the network... Would love it if someone has time to test, but if not, I can come up with something early next week. |
|
TODO: once cipher list is finalized, also need to update |
|
https://mozilla.github.io/server-side-tls/ssl-config-generator/ does look reasonable (though not sure what OpenSSL version we should specify as highest, I'm reasonably sure we don't have 1.0.1e everywhere). Someone on IRC suggested that site as well. I am taking that recommendation; updated docs and also had mailhost use nginx::config::ssl_ciphers as default rather than hard-coding it in the template. |
| @@ -28,14 +28,9 @@ server { | |||
| ssl on; | |||
| ssl_certificate <%= @ssl_cert %>; | |||
| ssl_certificate_key <%= @ssl_key %>; | |||
|
|
|||
| ssl_session_timeout 5m; | |||
|
|
|||
| ssl_protocols TLSv1; | |||
There was a problem hiding this comment.
I like the re-use of the $nginx::config::ssl_ciphers. Should we do the same for ssl_protocols here?
Based on voxpupuli#909. It also adds a test for the $ssl_ciphers parameter.
| # Suggested from https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx | ||
| ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | ||
|
|
||
| ssl_ciphers <%= @ssl_ciphers %>; |
There was a problem hiding this comment.
The same change applies to the puppet-nginx/templates/mailhost/mailhost.erb file. Because the SSL part of the two templates are equal I used to combine the two into one file that gets included. I'll fix the missing variable in my PR #769.
SSL cipher changes (issue 859)
Based on voxpupuli#909. It also adds a test for the $ssl_ciphers parameter.
SSL cipher changes (issue 859)
Based on voxpupuli#909. It also adds a test for the $ssl_ciphers parameter.
This is my first stab at updating the SSL cipher list (re: #859)
I suppose we can't / shouldn't disable TLS 1.0 yet?