On Fri, Mar 17, 2017 at 11:29 PM, Patrick Uiterwijk
<puiterwijk(a)redhat.com> wrote:
Hi,
Turns out that these three services were not yet using our global
secure cipher set.
This means that they have the Apache defaults, which are quite
insecure (RC4 and no FS).
Can I please get +1s to apply the underneath patch?
+1 seems sane to me
> Patrick
>
>
> commit 55183057fc95109df5d6b50258918c59c7930674
> Author: Patrick Uiterwijk <puiterwijk(a)redhat.com>
> Date: Fri Mar 17 23:28:19 2017 +0000
>
> Update Pagure, anitya and piwik to use the secure cipher set
>
> Signed-off-by: Patrick Uiterwijk <puiterwijk(a)redhat.com>
>
> diff --git a/roles/anitya/frontend/files/0_releasemonitoring.conf
> b/roles/anitya/frontend/files/0_releasemonitoring.co
> index 56a0bfb..e054147 100644
> --- a/roles/anitya/frontend/files/0_releasemonitoring.conf
> +++ b/roles/anitya/frontend/files/0_releasemonitoring.conf
> @@ -7,8 +7,8 @@
> ServerName release-monitoring.org:443
>
> SSLEngine on
> - SSLProtocol all -SSLv2 -SSLv3
> - # Use secure TLSv1.1 and TLSv1.2 ciphers
> + SSLProtocol {{ ssl_protocols }}
> + SSLCipherSuite {{ ssl_ciphers }}
> Header always add Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
>
> SSLCertificateFile /etc/pki/tls/certs/release-monitoring.org.cert
> diff --git a/roles/pagure/frontend/templates/0_pagure.conf
> b/roles/pagure/frontend/templates/0_pagure.conf
> index a7b7e70..3c3f353 100644
> --- a/roles/pagure/frontend/templates/0_pagure.conf
> +++ b/roles/pagure/frontend/templates/0_pagure.conf
> @@ -64,7 +64,8 @@ WSGIDaemonProcess paguredocs user=git group=git
> maximum-requests=1000 display-na
> ServerAdmin admin(a)fedoraproject.org
>
> SSLEngine on
> - SSLProtocol all -SSLv2 -SSLv3
> + SSLProtocol {{ ssl_protocols }}
> + SSLCipherSuite {{ ssl_ciphers }}
> # Use secure TLSv1.1 and TLSv1.2 ciphers
> Header always add Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
>
> @@ -113,7 +114,8 @@ WSGIDaemonProcess paguredocs user=git group=git
> maximum-requests=1000 display-na
> {% endif %}
>
> SSLEngine on
> - SSLProtocol all -SSLv2 -SSLv3
> + SSLProtocol {{ ssl_protocols }}
> + SSLCipherSuite {{ ssl_ciphers }}
> # Use secure TLSv1.1 and TLSv1.2 ciphers
> Header always add Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
>
> @@ -138,7 +140,8 @@ WSGIDaemonProcess paguredocs user=git group=git
> maximum-requests=1000 display-na
> WSGIScriptAlias / /var/www/docs_pagure.wsgi
>
> SSLEngine on
> - SSLProtocol all -SSLv2 -SSLv3
> + SSLProtocol {{ ssl_protocols }}
> + SSLCipherSuite {{ ssl_ciphers }}
> # Use secure TLSv1.1 and TLSv1.2 ciphers
> Header always add Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
>
> diff --git a/roles/piwik/files/piwik-httpd.conf
> b/roles/piwik/files/piwik-httpd.conf
> index 4b55fdc..881c509e 100644
> --- a/roles/piwik/files/piwik-httpd.conf
> +++ b/roles/piwik/files/piwik-httpd.conf
> @@ -11,8 +11,8 @@
> ServerName
piwik.fedorainfracloud.org
>
> SSLEngine on
> - SSLProtocol all -SSLv2 -SSLv3
> - # Use secure TLSv1.1 and TLSv1.2 ciphers
> + SSLProtocol {{ ssl_protocols }}
> + SSLCipherSuite {{ ssl_ciphers }}
> Header always add Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
>
> SSLCertificateFile /etc/pki/tls/certs/piwik.fedorainfracloud.org.cert
> _______________________________________________
> infrastructure mailing list -- infrastructure(a)lists.fedoraproject.org
> To unsubscribe send an email to infrastructure-leave(a)lists.fedoraproject.org