Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

COOK-1470 - put ssl cipher suite in attribute and change to new BEAST-safe value #15

Merged
merged 1 commit into from

3 participants

@lamont-opscode

FWIW, this looks good as a default, I would just suggest thinking about adding !kEDH explicitly for performance, even though that might not actually change any real-life behavior since RC4-SHA1 is listed first.

could also include RC4-MD5 after RC4-SHA1 since i don't think MD5 can actually be attacked in SSL, and there might be the odd browser out there without RC4-SHA1 support, but i know that'll give some people hives to see that as a default...

Sounds great. I'm not that knowledgeable about the ciphers, but this one did pass the test on ssllabs. I'd rather have someone who knows what they're doing pick a sensible default. :)

@jtimberman

I think it's okay to go with this pull request's default in the attributes, and we'll update the README to indicate other options.

@jtimberman jtimberman merged commit 3b69a50 into svanzoest-cookbooks:master
@jtimberman

Readme update in 60daf45

@anujbiyani anujbiyani referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
Showing with 21 additions and 1 deletion.
  1. +19 −0 attributes/mod_ssl.rb
  2. +2 −1  templates/default/mods/ssl.conf.erb
View
19 attributes/mod_ssl.rb
@@ -0,0 +1,19 @@
+#
+# Author:: Nathan L Smith <nlloyds@gmail.com>
+# Copyright:: Copyright (c) 2012, Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+default['apache']['mod_ssl']['cipher_suite'] = 'RC4-SHA:HIGH:!ADH'
View
3  templates/default/mods/ssl.conf.erb
@@ -59,11 +59,12 @@ SSLMutex file:/var/run/ssl_mutex
SSLMutex file:/var/run/apache2/ssl_mutex
<% end -%>
+SSLHonorCipherOrder On
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# enable only secure ciphers:
-SSLCipherSuite HIGH:MEDIUM:!ADH
+SSLCipherSuite <%= node['apache']['mod_ssl']['cipher_suite'] %>
# Use this instead if you want to allow cipher upgrades via SGC facility.
# In this case you also have to use something like
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
Something went wrong with that request. Please try again.