/[smeserver]/rpms/e-smith-apache/sme10/e-smith-apache-2.6.0-bz10459-Ciphers-and-TLS.patch
ViewVC logotype

Contents of /rpms/e-smith-apache/sme10/e-smith-apache-2.6.0-bz10459-Ciphers-and-TLS.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Sat May 2 03:05:56 2020 UTC (4 years, 6 months ago) by jpp
Branch: MAIN
CVS Tags: e-smith-apache-2_6_0-5_el7_sme
* Fri May 01 2020 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-5.sme
- disable TLSv1 TLSv1.1 by default [SME: 10459]
- put strong ciphers first in default string

1 diff -Nur e-smith-apache-2.6.0.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite e-smith-apache-2.6.0/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite
2 --- e-smith-apache-2.6.0.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite 2016-02-04 13:27:55.000000000 -0500
3 +++ e-smith-apache-2.6.0/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite 2020-05-01 23:03:04.903000000 -0400
4 @@ -1,5 +1,5 @@
5 {
6 # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
7 $OUT = "SSLCipherSuite ";
8 - $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
9 + $OUT .= $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
10 }
11 diff -Nur e-smith-apache-2.6.0.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol e-smith-apache-2.6.0/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
12 --- e-smith-apache-2.6.0.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol 2016-02-04 13:27:55.000000000 -0500
13 +++ e-smith-apache-2.6.0/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol 2020-05-01 23:02:32.316000000 -0400
14 @@ -3,6 +3,7 @@
15 $OUT .= "SSLProtocol all";
16 $OUT .= " -SSLv2" unless (${'httpd-e-smith'}{'SSLv2'} || 'disabled') eq 'enabled';
17 $OUT .= " -SSLv3" unless (${'httpd-e-smith'}{'SSLv3'} || 'disabled') eq 'enabled';
18 - $OUT .= " -TLSv1" unless (${'httpd-e-smith'}{'TLSv1'} || 'enabled') eq 'enabled';
19 - $OUT .= " -TLSv1.1" unless (${'httpd-e-smith'}{'TLSv1.1'} || 'enabled') eq 'enabled';
20 + $OUT .= " -TLSv1" unless (${'httpd-e-smith'}{'TLSv1'} || 'disabled') eq 'enabled';
21 + $OUT .= " -TLSv1.1" unless (${'httpd-e-smith'}{'TLSv1.1'} || 'disabled') eq 'enabled';
22 + $OUT .= " -TLSv1.2" unless (${'httpd-e-smith'}{'TLSv1.2'} || 'enabled') eq 'enabled';
23 }

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed