diff options
author | Micah Anderson <micah@leap.se> | 2014-04-02 13:17:20 -0400 |
---|---|---|
committer | Micah Anderson <micah@leap.se> | 2014-04-02 13:25:13 -0400 |
commit | 5cca6d100ffd991e6f943d916361bf0497728d70 (patch) | |
tree | 64b5d93cf5fe407c19a7fb18fa036a6ea5e41eb7 /puppet/modules/site_openvpn/templates | |
parent | b12c315edef56515321306a692d0f2098f4e8ee0 (diff) |
Update TLS apache vhost TLS configuration (#5137):
. We want to allow for TLS1.2 to be enabled (supported in wheezy)
. Explicitly disable SSLCompression. This aids in protecting
against the BREACH attack: see http://breachattack.com), and SPDY
version 3 is vulnerable to the CRIME attack when compression is
on
. Switch the cipher suites to match
https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for
these reasons:
. Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many
implementations support this, and there are no known attacks).
. Prefer AES128 to AES256 because the key schedule in
AES256 is considered weaker, and maybe AES128 is more
resistant to timing attacks
. Prefer AES to RC4. BEAST attacks on AES are mitigated in
>=TLS1.1, and difficult in TLS1.0. They are not in RC4, and
likely to become more dangerous
. RC4 is on the path to removal, but still present for backward compatibility
Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
Diffstat (limited to 'puppet/modules/site_openvpn/templates')
0 files changed, 0 insertions, 0 deletions