MAAS TLS offers CBC ciphers
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
MAAS | Status tracked in 3.6 | |||||
3.4 |
Won't Fix
|
Medium
|
Unassigned | |||
3.5 |
Won't Fix
|
Medium
|
Unassigned | |||
3.6 |
Triaged
|
Medium
|
Unassigned |
Bug Description
maas: 1:3.2.6-
After enabling TLS in MAAS[1], a security scanner states MAAS has CBC ciphers enabled. Which is not critical but not recommended.
Would be nice to follow Mozilla's intermediate level:
https:/
[nginx conf]
$ grep ssl_ /var/lib/
ssl_certificate /var/lib/
ssl_
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "AES256+EECDH AES256+EDH !aNULL";
ssl_
ssl_
[available ciphers to clients]
Obsoleted CBC ciphers (AES, ARIA etc.) offered
TLSv1.2 (server order)
xc030 ECDHE-RSA-
xc028 ECDHE-RSA-
xc014 ECDHE-RSA-
TLSv1.3 (server order)
x1302 TLS_AES_
x1303 TLS_CHACHA20_
x1301 TLS_AES_
Changed in maas: | |
status: | New → Triaged |
importance: | Undecided → Medium |
milestone: | none → 3.4.0 |
Changed in maas: | |
milestone: | 3.4.0 → 3.4.x |
Changed in maas: | |
milestone: | 3.4.x → 3.5.x |