You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2015/03/09 08:15:12 UTC
git commit: updated refs/heads/master to 5256b02
Repository: cloudstack
Updated Branches:
refs/heads/master e86c7a2a9 -> 5256b0205
systemvm: have apache2 use secure SSL cipher suite
Created using Mozilla's ssl config generator:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Intermediate setting was used, with apache version 2.2.22 and openssl 1.0.1e
Oldest compatible clients:
Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
(cherry picked from commit ab8f367850c7ef75e1ff851397ff7dee4b5e40ab)
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/5256b020
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/5256b020
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/5256b020
Branch: refs/heads/master
Commit: 5256b0205aef2a9e5fe36ee15a614c95b58ec49b
Parents: e86c7a2
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Mon Mar 9 12:39:26 2015 +0530
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Mon Mar 9 12:45:06 2015 +0530
----------------------------------------------------------------------
systemvm/patches/debian/config/etc/apache2/httpd.conf | 5 +++--
.../debian/config/etc/apache2/sites-available/default-ssl | 2 ++
2 files changed, 5 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5256b020/systemvm/patches/debian/config/etc/apache2/httpd.conf
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/apache2/httpd.conf b/systemvm/patches/debian/config/etc/apache2/httpd.conf
index 2a6b921..56366f2 100644
--- a/systemvm/patches/debian/config/etc/apache2/httpd.conf
+++ b/systemvm/patches/debian/config/etc/apache2/httpd.conf
@@ -1,2 +1,3 @@
-SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
-SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
+SSLProtocol all -SSLv2 -SSLv3
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+SSLHonorCipherOrder on
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5256b020/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
index 6699f14..a2c21d7 100644
--- a/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
+++ b/systemvm/patches/debian/config/etc/apache2/sites-available/default-ssl
@@ -43,6 +43,8 @@
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
+ SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+ SSLHonorCipherOrder on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See