Age | Commit message (Collapse) | Author |
|
Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d
|
|
Change-Id: I66384ae4a723be063790362f70e57228a0f1539b
|
|
. We want to allow for TLS1.2 to be enabled (supported in wheezy)
. Explicitly disable SSLCompression. This aids in protecting
against the BREACH attack: see http://breachattack.com), and SPDY
version 3 is vulnerable to the CRIME attack when compression is
on
. Switch the cipher suites to match
https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for
these reasons:
. Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many
implementations support this, and there are no known attacks).
. Prefer AES128 to AES256 because the key schedule in
AES256 is considered weaker, and maybe AES128 is more
resistant to timing attacks
. Prefer AES to RC4. BEAST attacks on AES are mitigated in
>=TLS1.1, and difficult in TLS1.0. They are not in RC4, and
likely to become more dangerous
. RC4 is on the path to removal, but still present for backward compatibility
Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
|
|
|
|
|
|
(fixing #3384)
node name and dns fqdn could be different
Also note that on local deploys that warning from #3384 will continue to exist (because of dns)
|
|
|
|
|
|
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
|
|
. Disable ServerSignature
. Set ServerTokens Prod
. unset the X-Powered-By and X-Runtime apache headers
Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
|
|
|
|
|
|
for hosting two TLS domains on one IP).
|
|
|
|
|
|
|
|
configurations
|