perfsonar-user - Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: Michael Johnson <>
- To: Doug Wussler <>
- Cc: "" <>
- Subject: Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf
- Date: Thu, 21 Dec 2017 12:15:24 -0500
- Ironport-phdr: 9a23:ZMoGSRco+N1Crq71544re9kUlGMj4u6mDksu8pMizoh2WeGdxcS4ZB7h7PlgxGXEQZ/co6odzbaO6ua4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahfL9+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v9LlgRgP2hygbNj456GDXhdJ2jKJHuxKquhhzz5fJbI2JKPZye6XQds4YS2VcRMZcTyJPDIOiYYUSDOQBM+lXoJXgqFQMtha+ChWgCfn1xzNUmnP736s32PkhHwHc2wwgGsoDvnPVrNrpNKcdS/66zK3VxjvHaPNW2TH96JPPchAnvPqBWrdwccjSxEUxDA7FgVGQqYv+MDyP0uQNtW+b4PZ6WeKulm4rsR9+rSWyxso1jITCm4Ebykjc+Cln3Io5OcC0RUtmbdOnDpRdtCSXN4V4Qs8+X21lvTg2x7MDtJO+fiUHyJIqzAPFZfOdaYiH+BfjWf6RIThmgHJlf6qyhxOo/kihzu3wTNW70EpWoSZfndnMrHYN1xvP5cSdS/t9412t1iiS2ADO8u1EIEY0mrTHK5M53LI8ioYfvVnGEyPrm0j5kqybe0Aq+uim9+jrfrDrqoGSOoJxjwzzMKQjltS6AesiMwgOW2ab+f671L3m5UD5RbdKg/4onqTCv5DaIcMbqbWjDA9R1IYj7AqwAy2n0NQFh3UIMk9KeA+fg4jzJ17OOOz4Deu4g1m0iDdk2erGPrP6ApXKKHjMiq3hca9g605H1gUz18tS55ZVCrEaPPLzQVH9uMbZDh8/Lwy73fznCNNj2YMCR26DGLGWP77PsQzA2uV6D+6Ra8cqpS3mL/U/r6riimI230AAZrKt0IE/ZmulWPlqPhPKT2Drh4IkEGwKtwc6BM7tiFuZVjgbM3OwD/gU6TU8AouiC4DIAIGwxrGNwXHoTdVtemlaBwXUQj/TfIKeVqJJMXrKLw==
Hi Doug,
The SSL Protocol/CipherSuite values are modified by our packages because if
we don't update these, older/weaker ciphers are allowed, which is a security
issue; in fact, various web application scanners people are using complain
about this. This is why we have made the change.
I haven't tried this, but I believe you could set the values you want in a
separate config file, and they wouldn't get overwritten. You would want to
create a new file, something like this:
/etc/httpd/conf.d/zciphers.conf
You would then put the desired ciphers in this file and it would override the
settings in ssl.conf. The files in conf.d/*.conf are read in aphabetical
order, so by changing the filename you can control the order they load (hence
the 'z' above). The later includes override earlier ones.
Thanks,
Michael
On Thu, Dec 21, 2017 at 04:59:51PM +0000, Doug Wussler wrote:
Is there some reason why you are modifying the values of “SSLProtocol” and
“SSLCipherSuite” in the SSL.CONF file when updates are applied?
I have more restrictive settings for these parameters. Whenever an update
runs it updates these values and we end up with a corrupt value for
SSLCipherSuite and then the service can’t restart.
Does this config file need to be included in your update procedures? If not,
can you please remove it so that it doesn’t overwrite custom settings?
Doug
Doug Wussler
850.645.4201
Information Technology Services
Florida State University
RK Shaw Building
644 W. Call Street
Tallahassee, FL 32304
--
Michael Johnson
GlobalNOC Software Engineering
Indiana University
812-856-2771
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Doug Wussler, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Michael Johnson, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Doug Wussler, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Michael Johnson, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Doug Wussler, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Michael Johnson, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Doug Wussler, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Michael Johnson, 12/21/2017
Archive powered by MHonArc 2.6.19.