Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] Suggested config for PerfSonar to become BOD 18-01 compliant

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Suggested config for PerfSonar to become BOD 18-01 compliant


Chronological Thread 
  • From: Brent Draney <>
  • To: Andrew Lake <>
  • Cc:
  • Subject: Re: [perfsonar-user] Suggested config for PerfSonar to become BOD 18-01 compliant
  • Date: Tue, 5 Mar 2019 13:25:08 -0800

Thanks for adding this configuration path.  We will make sure to take advantage of it.
We will also feed back the settings that make to pass the BOD tests so that others can
use it and it can be centrally documented.

Brent

On Mar 5, 2019, at 1:15 PM, Andrew Lake <> wrote:

Hi Brent,

You should be able to update the VirtualHost section /etc/httpd/conf.d/ssl.conf with the settings you want. They will be preserved between updates...which was not always true until a recent update. We re-shuffled the way perfSONAR manages SSL settings in the 4.1.5 release in December of last year specifically so users with this requirement could make the edits and not have them blasted every time we release a new version of perfSONAR. 

This may fall into the category of “too much information” but if you are wondering,  the perfSONAR RPMs put a default set of SSL settings in /etc/httpd/conf.d/apache-perfsonar-security.conf. These match the Mozilla Intermediate compatibility recommendation (https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29)  which are stronger than the Apache defaults but not as strong as the BOD. You can leave apache-perfsonar-security.conf alone since the RPM controls that. Anything the RPMs put there will get ignored in favor of your changes in the VirtualHost section of ssl.conf since the VirtualHost context takes precedence in Apache. 

Thanks,
Andy


On March 5, 2019 at 3:04:07 PM, Brent Draney () wrote:

Hi All, 

Federal gov web servers are under a Binding Operational Directive that requires us to convert to HTTPS with strong(er) cyphers 
and turn on HSTS. Is there a version of PerfSonar that meets the requirements that anyone is aware of or has anyone modified 
their local config to meet BD 18-01? The link below gives more information about the BOD. 

Thanks, 
Brent 

https://pulse.cio.gov/https/domains/#q=w-- 
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user




Archive powered by MHonArc 2.6.19.

Top of Page