You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@whimsical.apache.org by sebb <se...@gmail.com> on 2020/10/22 13:20:50 UTC
Why does Whimsy override apache::mod::ssl::ssl_protocol: ?
whimsy-vm*.yaml have:
apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3']
AFAICT this overrides the default, which is
apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1',
'-TLSv1.1']
Is there a reason for the override?
S
Re: Why does Whimsy override apache::mod::ssl::ssl_protocol: ?
Posted by Matt Sicker <bo...@gmail.com>.
Without explicitly disabling TLS 1.0 and 1.1, doesn't that open the
config up to TLS downgrade attacks? Just because RC4 is disabled isn't
enough to patch up old TLS protocol versions. It should be using 1.2
minimum.
On Thu, 22 Oct 2020 at 09:30, Sam Ruby <ru...@intertwingly.net> wrote:
>
> On Thu, Oct 22, 2020 at 9:21 AM sebb <se...@gmail.com> wrote:
> >
> > whimsy-vm*.yaml have:
> > apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3']
> >
> > AFAICT this overrides the default, which is
> >
> > apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1',
> > '-TLSv1.1']
> >
> > Is there a reason for the override?
>
> This change was made by the infrastructure team:
>
> https://github.com/apache/infrastructure-puppet/commit/b9b1a54e603eb9cd0a12a2ac782041bc06cf09d7
>
> > S
>
> - Sam Ruby
--
Matt Sicker <bo...@gmail.com>
Re: Why does Whimsy override apache::mod::ssl::ssl_protocol: ?
Posted by Sam Ruby <ru...@intertwingly.net>.
On Thu, Oct 22, 2020 at 9:21 AM sebb <se...@gmail.com> wrote:
>
> whimsy-vm*.yaml have:
> apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3']
>
> AFAICT this overrides the default, which is
>
> apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1',
> '-TLSv1.1']
>
> Is there a reason for the override?
This change was made by the infrastructure team:
https://github.com/apache/infrastructure-puppet/commit/b9b1a54e603eb9cd0a12a2ac782041bc06cf09d7
> S
- Sam Ruby