diff options
| author | Christian Heimes <cheimes@redhat.com> | 2016-01-21 16:09:10 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-02-11 10:44:29 +0100 |
| commit | 5ac3a3cee534a16db86c541b9beff4939f03410e (patch) | |
| tree | d0aff8d1bb1d4976e99120b01976bf1ccf293beb /ipaserver/install/server | |
| parent | 42d364427606e39486645e4064ca16940b2f8837 (diff) | |
| download | freeipa-5ac3a3cee534a16db86c541b9beff4939f03410e.tar.gz freeipa-5ac3a3cee534a16db86c541b9beff4939f03410e.tar.xz freeipa-5ac3a3cee534a16db86c541b9beff4939f03410e.zip | |
Modernize mod_nss's cipher suites
The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf
has been modernized. Insecure or less secure algorithms such as RC4,
DES and 3DES are removed. Perfect forward secrecy suites with ephemeral
ECDH key exchange have been added. IE 8 on Windows XP is no longer
supported.
The list of enabled cipher suites has been generated with the script
contrib/nssciphersuite/nssciphersuite.py.
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA
https://fedorahosted.org/freeipa/ticket/5589
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/install/server')
| -rw-r--r-- | ipaserver/install/server/upgrade.py | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 48f8579a4..584a5fc13 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1343,6 +1343,23 @@ def update_mod_nss_protocol(http): sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) + +def update_mod_nss_cipher_suite(http): + root_logger.info('[Updating mod_nss cipher suite]') + + revision = sysupgrade.get_upgrade_state('nss.conf', 'cipher_suite_updated') + if revision >= httpinstance.NSS_CIPHER_REVISION: + root_logger.debug("Cipher suite already updated") + return + + http.set_mod_nss_cipher_suite() + + sysupgrade.set_upgrade_state( + 'nss.conf', + 'cipher_suite_updated', + httpinstance.NSS_CIPHER_REVISION) + + def ds_enable_sidgen_extdom_plugins(ds): """For AD trust agents, make sure we enable sidgen and extdom plugins """ @@ -1526,6 +1543,7 @@ def upgrade_configuration(): http.stop() update_mod_nss_protocol(http) + update_mod_nss_cipher_suite(http) fix_trust_flags() export_kra_agent_pem() http.start() |