Freeze break request: adding cipher to dl*.fedoraproject.org for BFO

Patrick Uiterwijk puiterwijk at redhat.com
Thu Nov 20 21:17:50 UTC 2014 

Hi all,

Since boot.fedoraproject.org does not support (EC)DHE_ ciphers, the attached patch will add support for RSA_WITH_AES_256_CBC_SHA256 to dl*.fedoraproject.org.
Please +1 or -2?


>From c4e72c37cedb2fd14e948f7a82d5ac14c12dc292 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk at redhat.com>
Date: Thu, 20 Nov 2014 21:12:21 +0000
Subject: [PATCH] Enable RSA_WITH_AES_256_CBC_SHA256 for bfo

---
 .../download/files/httpd/dl.fedoraproject.org.conf |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/roles/download/files/httpd/dl.fedoraproject.org.conf b/roles/download/files/httpd/dl.fedoraproject.org.conf
index 7be586c..1129149 100644
--- a/roles/download/files/httpd/dl.fedoraproject.org.conf
+++ b/roles/download/files/httpd/dl.fedoraproject.org.conf
@@ -23,9 +23,10 @@
   # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
   # If you change the protocols or cipher suites, you should probably update
   # modules/squid/files/squid.conf-el6 too, to keep it in sync.
+  # RSA_WITH_AES_256_CBC_SHA256 is supported for boot.fedoraproject.org (iPXE doesn't support DHE_ or ECDHE_)

    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
-   SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+   SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:RSA_WITH_AES_256_CBC_SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

   Include "conf.d/dl.fedoraproject.org/*.conf"
 </VirtualHost>
-- 
1.7.2.1



With kind regards,
Patrick Uiterwijk
Associate Software Engineer, Red Hat

More information about the infrastructure mailing list