Hi,
Turns out that these three services were not yet using our global
secure cipher set.
This means that they have the Apache defaults, which are quite
insecure (RC4 and no FS).
Can I please get +1s to apply the underneath patch?
Patrick
commit 55183057fc95109df5d6b50258918c59c7930674
Author: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
Date: Fri Mar 17 23:28:19 2017 +0000
Update Pagure, anitya and piwik to use the secure cipher set
Signed-off-by: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
diff --git a/roles/anitya/frontend/files/0_releasemonitoring.conf
b/roles/anitya/frontend/files/0_releasemonitoring.co
index 56a0bfb..e054147 100644
--- a/roles/anitya/frontend/files/0_releasemonitoring.conf
+++ b/roles/anitya/frontend/files/0_releasemonitoring.conf
@@ -7,8 +7,8 @@
ServerName release-monitoring.org:443
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- # Use secure TLSv1.1 and TLSv1.2 ciphers
+ SSLProtocol {{ ssl_protocols }}
+ SSLCipherSuite {{ ssl_ciphers }}
Header always add Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/release-monitoring.org.cert
diff --git a/roles/pagure/frontend/templates/0_pagure.conf
b/roles/pagure/frontend/templates/0_pagure.conf
index a7b7e70..3c3f353 100644
--- a/roles/pagure/frontend/templates/0_pagure.conf
+++ b/roles/pagure/frontend/templates/0_pagure.conf
@@ -64,7 +64,8 @@ WSGIDaemonProcess paguredocs user=git group=git
maximum-requests=1000 display-na
ServerAdmin admin@xxxxxxxxxxxxxxxxx
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
+ SSLProtocol {{ ssl_protocols }}
+ SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
@@ -113,7 +114,8 @@ WSGIDaemonProcess paguredocs user=git group=git
maximum-requests=1000 display-na
{% endif %}
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
+ SSLProtocol {{ ssl_protocols }}
+ SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
@@ -138,7 +140,8 @@ WSGIDaemonProcess paguredocs user=git group=git
maximum-requests=1000 display-na
WSGIScriptAlias / /var/www/docs_pagure.wsgi
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
+ SSLProtocol {{ ssl_protocols }}
+ SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
diff --git a/roles/piwik/files/piwik-httpd.conf
b/roles/piwik/files/piwik-httpd.conf
index 4b55fdc..881c509e 100644
--- a/roles/piwik/files/piwik-httpd.conf
+++ b/roles/piwik/files/piwik-httpd.conf
@@ -11,8 +11,8 @@
ServerName piwik.fedorainfracloud.org
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- # Use secure TLSv1.1 and TLSv1.2 ciphers
+ SSLProtocol {{ ssl_protocols }}
+ SSLCipherSuite {{ ssl_ciphers }}
Header always add Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/piwik.fedorainfracloud.org.cert
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
