perfSONAR User Q&A and Other Discussion

[Andrew Lake <>]

Hi,

For reference there was a discussion on the list related to this last month: https://lists.internet2.edu/sympa/arc/perfsonar-user/2018-11/msg00008.html

The summary is that by default the toolkit follows the Mozilla “Intermediate compatibility” recommendations detailed here: https://wiki.mozilla.org/Security/Server_Side_TLS. This is not strict enough for some sites and your change to ssl.conf is the correct way to address this. As long as you are on 4.1.5, your changes to ssl.conf should remain untouched on future updates, Previously ssl.conf would get restored to the pS defaults on update, which was the focus of the email thread above. Version 4.1.5 released earlier this week implements the solution from that thread.

Thanks,

Andy

On December 21, 2018 at 11:28:48 AM, hito () wrote:

Hello.


We were told by BNL cybersecurity that Perfsonar instance at BNL is not
sufficiently secure to "pass" their test (test for all xxx.gov
sites).    After changing our ssl.conf, we managed to pass it.  Maybe,
this setting should be implemented everywhere or at least advertised for
those sites.   It is noted here that our change will allow the access to
this host from only fairly new client (ssl) only. 

The change we have made in ssl.conf is the following.

======

Header always set Strict-Transport-Security "max-age=31536000;"

SSLProtocol -ALL +TLSv1.2

SSLCipherSuite 
ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS:!RSA

SSLCACertificateFile /etc/pki/CA/certs/incommon-rsa-server-ca.crt  
<<<   this file should be included in the PerfSonar distribution. 

=====

thanks,

Hiro

--
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user