diff options
| author | Christian Heimes <cheimes@redhat.com> | 2016-01-21 16:09:10 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-02-11 10:44:29 +0100 |
| commit | 5ac3a3cee534a16db86c541b9beff4939f03410e (patch) | |
| tree | d0aff8d1bb1d4976e99120b01976bf1ccf293beb /ipaserver/install/httpinstance.py | |
| parent | 42d364427606e39486645e4064ca16940b2f8837 (diff) | |
| download | freeipa-5ac3a3cee534a16db86c541b9beff4939f03410e.tar.gz freeipa-5ac3a3cee534a16db86c541b9beff4939f03410e.tar.xz freeipa-5ac3a3cee534a16db86c541b9beff4939f03410e.zip | |
Modernize mod_nss's cipher suites
The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf
has been modernized. Insecure or less secure algorithms such as RC4,
DES and 3DES are removed. Perfect forward secrecy suites with ephemeral
ECDH key exchange have been added. IE 8 on Windows XP is no longer
supported.
The list of enabled cipher suites has been generated with the script
contrib/nssciphersuite/nssciphersuite.py.
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA
https://fedorahosted.org/freeipa/ticket/5589
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/install/httpinstance.py')
| -rw-r--r-- | ipaserver/install/httpinstance.py | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 3b46dce82..44e0a7fe0 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -57,6 +57,19 @@ SELINUX_BOOLEAN_SETTINGS = dict( KDCPROXY_USER = 'kdcproxy' HTTPD_USER = constants.HTTPD_USER +# See contrib/nsscipersuite/nssciphersuite.py +NSS_CIPHER_SUITE = [ + '+aes_128_sha_256', '+aes_256_sha_256', + '+ecdhe_ecdsa_aes_128_gcm_sha_256', '+ecdhe_ecdsa_aes_128_sha', + '+ecdhe_ecdsa_aes_256_gcm_sha_384', '+ecdhe_ecdsa_aes_256_sha', + '+ecdhe_rsa_aes_128_gcm_sha_256', '+ecdhe_rsa_aes_128_sha', + '+ecdhe_rsa_aes_256_gcm_sha_384', '+ecdhe_rsa_aes_256_sha', + '+rsa_aes_128_gcm_sha_256', '+rsa_aes_128_sha', + '+rsa_aes_256_gcm_sha_384', '+rsa_aes_256_sha' +] +NSS_CIPHER_REVISION = '20160129' + + def httpd_443_configured(): """ We now allow mod_ssl to be installed so don't automatically disable it. @@ -146,6 +159,8 @@ class HTTPInstance(service.Service): self.step("setting mod_nss port to 443", self.__set_mod_nss_port) + self.step("setting mod_nss cipher suite", + self.set_mod_nss_cipher_suite) self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2", self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) @@ -255,6 +270,10 @@ class HTTPInstance(service.Service): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) + def set_mod_nss_cipher_suite(self): + ciphers = ','.join(NSS_CIPHER_SUITE) + installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) + def __set_mod_nss_passwordfile(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:' + paths.HTTPD_PASSWORD_CONF) |