perfsonar-user - [perfsonar-user] ssl.conf
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: hito <>
- To: perfsonar-user <>, Shawn McKee <>
- Cc: "Jason A. Smith" <>
- Subject: [perfsonar-user] ssl.conf
- Date: Fri, 21 Dec 2018 11:12:49 -0500
- Ironport-phdr: 9a23:3qjrZR3kwOV1BcTJsmDT+DRfVm0co7zxezQtwd8ZseIRK/ad9pjvdHbS+e9qxAeQG9mDu7Qc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPYAhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okCYHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYO/RkfqPZYNgUW2xPUMhMXCBFG4+wcZcDA+8HMO1FrYfyukEOoAOgCwesGe3hyTFGiXH50qIm3OosCh3G0Q86Et4SrHjZotf4OaEPWu611qnIyjDDYutW2Tf89IjIdQ0qrPaMXbJxbcrRzlIiFxnZgVWes4DlJTOV1uURvGSB9OVgU+avh3QoqwF2vDii38EhgZTKiIIN0l3I6Cp0zYUvKdGlSUN2b8SoHIZfuiyaLYd6X90uTmFwtCs7zrAKo4O3cDUOxZg92hLSaf2Kf5KV7h/tSOqcJypzimh/d7KlnRmy9FCtyu3iWcmw11ZHti9Fk9bQun8XzhDf9tSLRudh8kqixzqDyx3f5vtcIUAslarbLIUhwqIumZUOq0jMAij2mEDugK+XcEUr5PSo5vz6brjppZKQLZJ4hwDwP6g0h8CyDuQ1PhITU2SF+emwzLjj8lf4QLVOgP02iK7ZsJXCKMQbp665HwhV35056xmjATeqys4YnXkGLF1ZYh6IlI7pO1XULPD3Cve/nUygkC13yPDeIr3hHpLNI2DbkLj/Z7Z95VVcyA01zd9F/ZJYE6wBIOntVU/rr9HYCh45Mxeow+b8FtlxzIIeWWSTAqCHKqPSt0GH5v4xL+WWeoAapSv9eLAZ4Kv2gGU3glgbdLPswIAacjjsBvl8LV6eZ3P2x8oaHH0ivwwiQfbshUHYFzNfeiD2F5k87y49QKetLorODtS2hbeC0SqTA5hXbWAAB1yRRyTGbYKBDvcNdCXads9gjjssT7OvDZUh1Brovgn+jbVgMLyHqWUjqZv/2Y0ttKXonhYo+GkxVp7F3g==
Hello.
We were told by BNL cybersecurity that Perfsonar instance at BNL is not
sufficiently secure to "pass" their test (test for all xxx.gov
sites). After changing our ssl.conf, we managed to pass it. Maybe,
this setting should be implemented everywhere or at least advertised for
those sites. It is noted here that our change will allow the access to
this host from only fairly new client (ssl) only.
The change we have made in ssl.conf is the following.
======
Header always set Strict-Transport-Security "max-age=31536000;"
SSLProtocol -ALL +TLSv1.2
SSLCipherSuite
ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS:!RSA
SSLCACertificateFile /etc/pki/CA/certs/incommon-rsa-server-ca.crt
<<< this file should be included in the PerfSonar distribution.
=====
thanks,
Hiro
- [perfsonar-user] ssl.conf, hito, 12/21/2018
- Re: [perfsonar-user] ssl.conf, Andrew Lake, 12/21/2018
Archive powered by MHonArc 2.6.19.