Skip to content

Commit

Permalink
Update the ciphers list
Browse files Browse the repository at this point in the history 
The previous list of ciphers was allowing weak algorithms.
The fix removes:
- kECDH: cipher suites using fixed ECDH key agreement signed by CAs with RSA
and ECDSA keys or either respectively.
- kDH: cipher suites using DH key agreement and DH certificates signed by
CAs with RSA and DSS keys or either respectively.

Fixes: https://pagure.io/freeipa/issue/8000
Reviewed-By: Christian Heimes <cheimes@redhat.com>
  • Loading branch information
@flo-renaud @abbra
flo-renaud authored and abbra committed Jul 17, 2019
1 parent e0da5f7 commit 91641ac
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion ipalib/constants.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@

# high ciphers without RC4, MD5, TripleDES, pre-shared key
# and secure remote password
TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP"
TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP:!kECDH:!kDH"

# regular expression NameSpace member names must match:
NAME_REGEX = r'^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$'
Expand Down

0 comments on commit 91641ac

Please sign in to comment.