commit 075a39e1a2b1e873fdbc3742f6363452431c8717
Author: Karla Felix <email address hidden>
Date: Mon Mar 11 11:16:31 2024 -0300
Refining rule to remove weak ciphers from lighttpd
This review will be refining https ciphers rule, for
lighttpd service on port 8443, to avoid the useof
ciphers considered weak based on the NIST list.
The ciphers excluded are the ones that use CBC,
CAMELLIA, ARIA and 3DES encryption mode, and any
cipher that uses SHA1.
The ciphers that will be used by https:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
- TLS_AES_256_GCM_SHA384 (ecdh_x25519)
- TLS_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
- TLS_AES_128_GCM_SHA256 (ecdh_x25519)
Test Plan:
PASS: Run build-pkgs -c -p puppet-manifests.
PASS: Enable https and run nmap to verify if only the
listed ciphers are returned.
PASS: Run build-image.
PASS: Run bootstrap playbook.
PASS: Unlock controller-0.
PASS: Enable https and access horizon via browser
using https.
PASS: Disable https and access horizon via browser
using http.
Closes-Bug: 2054813
Change-Id: Ib21eb1155540f820a77ee7f7b9203663038ab69b
Signed-off-by: Karla Felix <email address hidden>
Reviewed: https:/ /review. opendev. org/c/starlingx /stx-puppet/ +/912458 /opendev. org/starlingx/ stx-puppet/ commit/ 075a39e1a2b1e87 3fdbc3742f63634 52431c8717
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 075a39e1a2b1e87 3fdbc3742f63634 52431c8717
Author: Karla Felix <email address hidden>
Date: Mon Mar 11 11:16:31 2024 -0300
Refining rule to remove weak ciphers from lighttpd
This review will be refining https ciphers rule, for
lighttpd service on port 8443, to avoid the useof
ciphers considered weak based on the NIST list.
The ciphers excluded are the ones that use CBC,
CAMELLIA, ARIA and 3DES encryption mode, and any
cipher that uses SHA1.
The ciphers that will be used by https: RSA_WITH_ AES_128_ GCM_SHA256 (ecdh_x25519) RSA_WITH_ AES_256_ GCM_SHA384 (ecdh_x25519) RSA_WITH_ CHACHA20_ POLY1305_ SHA256 (ecdh_x25519) 256_GCM_ SHA384 (ecdh_x25519) POLY1305_ SHA256 (ecdh_x25519) 128_GCM_ SHA256 (ecdh_x25519)
- TLS_ECDHE_
- TLS_ECDHE_
- TLS_ECDHE_
- TLS_AES_
- TLS_CHACHA20_
- TLS_AES_
Test Plan:
PASS: Run build-pkgs -c -p puppet-manifests.
PASS: Enable https and run nmap to verify if only the
listed ciphers are returned.
PASS: Run build-image.
PASS: Run bootstrap playbook.
PASS: Unlock controller-0.
PASS: Enable https and access horizon via browser
using https.
PASS: Disable https and access horizon via browser
using http.
Closes-Bug: 2054813
Change-Id: Ib21eb1155540f8 20a77ee7f7b9203 663038ab69b
Signed-off-by: Karla Felix <email address hidden>