put ssl cipher suite in attribute and change to new BEAST-safe value

gofullstack · Jul 18, 2012 · 46192ab · 46192ab · smith · Jul 19, 2012
1 parent b4d0f76
commit 46192ab
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/attributes/mod_ssl.rb b/attributes/mod_ssl.rb
@@ -0,0 +1,19 @@
+# 
+# Author:: Nathan L Smith <nlloyds@gmail.com>
+# Copyright:: Copyright (c) 2012, Opscode, Inc.
+# License:: Apache License, Version 2.0
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#    http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
+
+default['apache']['mod_ssl']['cipher_suite'] = 'RC4-SHA:HIGH:!ADH'
diff --git a/templates/default/mods/ssl.conf.erb b/templates/default/mods/ssl.conf.erb
@@ -59,11 +59,12 @@ SSLMutex  file:/var/run/ssl_mutex
 SSLMutex  file:/var/run/apache2/ssl_mutex
 <% end -%>
 
+SSLHonorCipherOrder On
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
 #   enable only secure ciphers:
-SSLCipherSuite HIGH:MEDIUM:!ADH
+SSLCipherSuite <%= node['apache']['mod_ssl']['cipher_suite'] %>
 #   Use this instead if you want to allow cipher upgrades via SGC facility.
 #   In this case you also have to use something like 
 #        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128