Browse files

put ssl cipher suite in attribute and change to new BEAST-safe value

  • Loading branch information...
1 parent b4d0f76 commit 46192ab55bd1d8489a0984ddbf3035fd151a3a13 @smith smith committed Jul 18, 2012
Showing with 21 additions and 1 deletion.
  1. +19 −0 attributes/mod_ssl.rb
  2. +2 −1 templates/default/mods/ssl.conf.erb
View
19 attributes/mod_ssl.rb
@@ -0,0 +1,19 @@
+#
+# Author:: Nathan L Smith <nlloyds@gmail.com>
+# Copyright:: Copyright (c) 2012, Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+default['apache']['mod_ssl']['cipher_suite'] = 'RC4-SHA:HIGH:!ADH'
View
3 templates/default/mods/ssl.conf.erb
@@ -59,11 +59,12 @@ SSLMutex file:/var/run/ssl_mutex
SSLMutex file:/var/run/apache2/ssl_mutex
<% end -%>
+SSLHonorCipherOrder On
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# enable only secure ciphers:
-SSLCipherSuite HIGH:MEDIUM:!ADH
+SSLCipherSuite <%= node['apache']['mod_ssl']['cipher_suite'] %>
# Use this instead if you want to allow cipher upgrades via SGC facility.
# In this case you also have to use something like
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

1 comment on commit 46192ab

@smith
FullStack member

Sounds great. I'm not that knowledgeable about the ciphers, but this one did pass the test on ssllabs. I'd rather have someone who knows what they're doing pick a sensible default. :)

Please sign in to comment.