+1 here, though additional testing of the koji change can't hurt. -Ricky On 10/14/2014 09:32 PM, Kevin Fenzi wrote: > There's been a vulnerability discovered in SSLv3 that basically allows > attackers to decrypt it. ;( > > I would like to apply the following and disable it on our sites for now > until and unless we find a better solution in coming days. > > Note that I am likely going to try and test the koji change in stg first > and might adjust it some. > > I'll also likely apply this soon anyhow as it's a security issue, > but more eye's +1's welcome. > > kevin > -- > diff --git a/configs/httpd/websites/infrastructure.fedoraproject.org.conf b/configs/httpd/websites/infrastructur > index 2d8a8dc..2d197eb 100644 > --- a/configs/httpd/websites/infrastructure.fedoraproject.org.conf > +++ b/configs/httpd/websites/infrastructure.fedoraproject.org.conf > @@ -56,7 +56,7 @@ > # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 > # If you change the protocols or cipher suites, you should probably update > # modules/squid/files/squid.conf-el6 too, to keep it in sync. > - SSLProtocol +SSLv3 +TLSv1 > + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 > SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-EC > > Include "conf.d/infrastructure.fedoraproject.org/*.conf" > diff --git a/configs/system/fedorapeople/people.conf b/configs/system/fedorapeople/people.conf > index 113321b..674f28a 100644 > --- a/configs/system/fedorapeople/people.conf > +++ b/configs/system/fedorapeople/people.conf > @@ -36,7 +36,7 @@ NameVirtualHost [2610:28:3090:3001:5054:ff:fedb:7f5a]:443 > SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert > SSLHonorCipherOrder On > SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-EC > - SSLProtocol +SSLv3 +TLSv1 > + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 > > Header add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" > > diff --git a/configs/system/planet/planet.conf b/configs/system/planet/planet.conf > index 0ee76fc..ed80bcc 100644 > --- a/configs/system/planet/planet.conf > +++ b/configs/system/planet/planet.conf > @@ -47,7 +47,7 @@ > SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert > SSLHonorCipherOrder On > SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- > - SSLProtocol +SSLv3 +TLSv1 > + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 > > DocumentRoot "/srv/planet/site/" > > diff --git a/configs/web/fedorahosted.org.conf b/configs/web/fedorahosted.org.conf > index f3476c2..b5ac057 100644 > --- a/configs/web/fedorahosted.org.conf > +++ b/configs/web/fedorahosted.org.conf > @@ -23,7 +23,7 @@ Listen 443 > SSLCertificateChainFile /etc/httpd/conf.d/fedorahosted.org/wildcard-2014.fedorahosted.org.intermediate.cert > SSLHonorCipherOrder On > SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- > - SSLProtocol +SSLv3 +TLSv1 > + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 > > Header add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" > > diff --git a/configs/web/git.fedorahosted.org.conf b/configs/web/git.fedorahosted.org.conf > index bba8519..f670515 100644 > --- a/configs/web/git.fedorahosted.org.conf > +++ b/configs/web/git.fedorahosted.org.conf > @@ -21,7 +21,7 @@ Alias /robots.txt /srv/web/fedorahosted.org/robots.txt > SSLCertificateChainFile /etc/httpd/conf.d/fedorahosted.org/wildcard-2014.fedorahosted.org.intermediate.cert > SSLHonorCipherOrder On > SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- > - SSLProtocol +SSLv3 +TLSv1 > + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 > > Alias /cgit-data /usr/share/cgit > ScriptAlias /cgit /var/www/cgi-bin/cgit > diff --git a/configs/web/koji-ssl.conf b/configs/web/koji-ssl.conf > index 93696c8..307e82d 100644 > --- a/configs/web/koji-ssl.conf > +++ b/configs/web/koji-ssl.conf > @@ -97,7 +97,7 @@ SSLEngine on > # SSL Protocol support: > # List the enable protocol levels with which clients will be able to > # connect. Disable SSLv2 access by default: > -SSLProtocol all -SSLv2 > +SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 > > # SSL Cipher Suite: > # List the ciphers that the client is permitted to negotiate. > diff --git a/configs/web/pkgs.fedoraproject.org/lookaside-upload.conf b/configs/web/pkgs.fedoraproject.org/looka > index bf41146..bfb44d6 100644 > --- a/configs/web/pkgs.fedoraproject.org/lookaside-upload.conf > +++ b/configs/web/pkgs.fedoraproject.org/lookaside-upload.conf > @@ -29,8 +29,7 @@ SSLCryptoDevice builtin > SSLCARevocationFile /etc/pki/tls/crl.pem > > SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- > - SSLProtocol +SSLv3 +TLSv1 > - > + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 > > # Must be 'optional' everywhere in order to have POST operations work to upload.cgi > SSLVerifyClient optional > diff --git a/modules/httpd/templates/website.conf.erb b/modules/httpd/templates/website.conf.erb > index 668c090..817b5ef 100644 > --- a/modules/httpd/templates/website.conf.erb > +++ b/modules/httpd/templates/website.conf.erb > @@ -42,7 +42,7 @@ > # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 > # If you change the protocols or cipher suites, you should probably update > # modules/squid/files/squid.conf-el6 too, to keep it in sync. > - SSLProtocol +SSLv3 +TLSv1 > + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 > SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-EC > > Include "conf.d/<%= name %>/*.conf" > diff --git a/modules/puppet/files/puppetmaster.conf b/modules/puppet/files/puppetmaster.conf > index 4294a14..08a6d3b 100644 > --- a/modules/puppet/files/puppetmaster.conf > +++ b/modules/puppet/files/puppetmaster.conf > @@ -58,6 +58,7 @@ user apache > ServerName master.puppetmanaged.org > SSLEngine on > SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA > + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 > SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.pem > SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.pem > SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem > diff --git a/modules/squid/files/squid.conf-el6 b/modules/squid/files/squid.conf-el6 > index 80b8e86..123af78 100644 > --- a/modules/squid/files/squid.conf-el6 > +++ b/modules/squid/files/squid.conf-el6 > @@ -1,5 +1,5 @@ > http_port 80 defaultsite=kojipkgs.fedoraproject.org > -https_port 443 defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2014.squid.cert key=/etc > +https_port 443 defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2014.squid.cert key=/etc > > cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=kojipkgs > hierarchy_stoplist cgi-bin ? > > > > _______________________________________________ > infrastructure mailing list > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/infrastructure >
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
