perfSONAR User Q&A and Other Discussion

[Michael Johnson <>]

Hi Doug,

The SSL Protocol/CipherSuite values are modified by our packages because if 
we don't update these, older/weaker ciphers are allowed, which is a security 
issue; in fact, various web application scanners people are using complain 
about this. This is why we have made the change.

I haven't tried this, but I believe you could set the values you want in a 
separate config file, and they wouldn't get overwritten. You would want to 
create a new file, something like this:

/etc/httpd/conf.d/zciphers.conf

You would then put the desired ciphers in this file and it would override the 
settings in ssl.conf. The files in conf.d/*.conf are read in aphabetical 
order, so by changing the filename you can control the order they load (hence 
the 'z' above). The later includes override earlier ones.

Thanks,
Michael

On Thu, Dec 21, 2017 at 04:59:51PM +0000, Doug Wussler wrote:
> Is there some reason why you are modifying the values of “SSLProtocol” and 
> “SSLCipherSuite” in the SSL.CONF file when updates are applied?
>
> I have more restrictive settings for these parameters.  Whenever an update 
> runs it updates these values and we end up with a corrupt value for 
> SSLCipherSuite and then the service can’t restart.
>
> Does this config file need to be included in your update procedures? If not, 
> can you please remove it so that it doesn’t overwrite custom settings?
>
> Doug
>
>
> Doug Wussler
> 850.645.4201
> Information Technology Services
> Florida State University
> RK Shaw Building
> 644 W. Call Street
> Tallahassee, FL  32304

--
Michael Johnson
GlobalNOC Software Engineering
Indiana University

812-856-2771

Attachment: smime.p7s
Description: S/MIME cryptographic signature