On Fri, Mar 17, 2017 at 11:29 PM, Patrick Uiterwijk
<puiterwijk@xxxxxxxxxx> wrote:
> Hi,
>
> Turns out that these three services were not yet using our global
> secure cipher set.
> This means that they have the Apache defaults, which are quite
> insecure (RC4 and no FS).
> Can I please get +1s to apply the underneath patch?
+1 seems sane to me
> Patrick
>
>
> commit 55183057fc95109df5d6b50258918c59c7930674
> Author: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
> Date: Fri Mar 17 23:28:19 2017 +0000
>
> Update Pagure, anitya and piwik to use the secure cipher set
>
> Signed-off-by: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
>
> diff --git a/roles/anitya/frontend/files/0_releasemonitoring.conf
> b/roles/anitya/frontend/files/0_releasemonitoring.co
> index 56a0bfb..e054147 100644
> --- a/roles/anitya/frontend/files/0_releasemonitoring.conf
> +++ b/roles/anitya/frontend/files/0_releasemonitoring.conf
> @@ -7,8 +7,8 @@
> ServerName release-monitoring.org:443
>
> SSLEngine on
> - SSLProtocol all -SSLv2 -SSLv3
> - # Use secure TLSv1.1 and TLSv1.2 ciphers
> + SSLProtocol {{ ssl_protocols }}
> + SSLCipherSuite {{ ssl_ciphers }}
> Header always add Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
>
> SSLCertificateFile /etc/pki/tls/certs/release-monitoring.org.cert
> diff --git a/roles/pagure/frontend/templates/0_pagure.conf
> b/roles/pagure/frontend/templates/0_pagure.conf
> index a7b7e70..3c3f353 100644
> --- a/roles/pagure/frontend/templates/0_pagure.conf
> +++ b/roles/pagure/frontend/templates/0_pagure.conf
> @@ -64,7 +64,8 @@ WSGIDaemonProcess paguredocs user=git group=git
> maximum-requests=1000 display-na
> ServerAdmin admin@xxxxxxxxxxxxxxxxx
>
> SSLEngine on
> - SSLProtocol all -SSLv2 -SSLv3
> + SSLProtocol {{ ssl_protocols }}
> + SSLCipherSuite {{ ssl_ciphers }}
> # Use secure TLSv1.1 and TLSv1.2 ciphers
> Header always add Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
>
> @@ -113,7 +114,8 @@ WSGIDaemonProcess paguredocs user=git group=git
> maximum-requests=1000 display-na
> {% endif %}
>
> SSLEngine on
> - SSLProtocol all -SSLv2 -SSLv3
> + SSLProtocol {{ ssl_protocols }}
> + SSLCipherSuite {{ ssl_ciphers }}
> # Use secure TLSv1.1 and TLSv1.2 ciphers
> Header always add Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
>
> @@ -138,7 +140,8 @@ WSGIDaemonProcess paguredocs user=git group=git
> maximum-requests=1000 display-na
> WSGIScriptAlias / /var/www/docs_pagure.wsgi
>
> SSLEngine on
> - SSLProtocol all -SSLv2 -SSLv3
> + SSLProtocol {{ ssl_protocols }}
> + SSLCipherSuite {{ ssl_ciphers }}
> # Use secure TLSv1.1 and TLSv1.2 ciphers
> Header always add Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
>
> diff --git a/roles/piwik/files/piwik-httpd.conf
> b/roles/piwik/files/piwik-httpd.conf
> index 4b55fdc..881c509e 100644
> --- a/roles/piwik/files/piwik-httpd.conf
> +++ b/roles/piwik/files/piwik-httpd.conf
> @@ -11,8 +11,8 @@
> ServerName piwik.fedorainfracloud.org
>
> SSLEngine on
> - SSLProtocol all -SSLv2 -SSLv3
> - # Use secure TLSv1.1 and TLSv1.2 ciphers
> + SSLProtocol {{ ssl_protocols }}
> + SSLCipherSuite {{ ssl_ciphers }}
> Header always add Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
>
> SSLCertificateFile /etc/pki/tls/certs/piwik.fedorainfracloud.org.cert
> _______________________________________________
> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
