Re: FIX Freeze break request: adding cipher to dl*.fedoraproject.org for BFO

Patrick Uiterwijk <puiterwijk@xxxxxxxxxx> · Thu, 20 Nov 2014 23:10:07 -0500 (EST)

Hi,

Sorry for the mistake in the previous one: I had specified the name of the cipher, which is not the same as the OpenSSL cipher spec.
Here another patch that does the same but now actually uses the correct cipher spec (and so works).
The only change wrt the previous patch is that the cipher name (TLS_RSA_WITH_AES_256_CBC_SHA) has been replaced with the cipher spec (AES256-SHA).


>From 1833afa7dd674059a1d1e250a9924315bece044f Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
Date: Fri, 21 Nov 2014 04:05:54 +0000
Subject: [PATCH] Now really enable the correct cipher.

OpenSSL AES256-SHA = TLS_RSA_WITH_AES_256_CBC_SHA
---
 .../download/files/httpd/dl.fedoraproject.org.conf |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/roles/download/files/httpd/dl.fedoraproject.org.conf b/roles/download/files/httpd/dl.fedoraproject.org.conf
index 7be586c..aaa3872 100644
--- a/roles/download/files/httpd/dl.fedoraproject.org.conf
+++ b/roles/download/files/httpd/dl.fedoraproject.org.conf
@@ -25,7 +25,7 @@
   # modules/squid/files/squid.conf-el6 too, to keep it in sync.

    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
-   SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+   SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

   Include "conf.d/dl.fedoraproject.org/*.conf"
 </VirtualHost>
-- 
1.7.2.1




With kind regards,
Patrick Uiterwijk
Associate Software Engineer, Red Hat

----- Original Message -----
> On Thu, Nov 20, 2014 at 04:17:50PM -0500, Patrick Uiterwijk wrote:
> > Hi all,
> > 
> > Since boot.fedoraproject.org does not support (EC)DHE_ ciphers, the
> > attached patch will add support for RSA_WITH_AES_256_CBC_SHA256 to
> > dl*.fedoraproject.org.
> > Please +1 or -2?
> > 
> +1
> 
> -Toshio
> 
> _______________________________________________
> infrastructure mailing list
> infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure








