perfSONAR User Q&A and Other Discussion

[Alex Hsia <>]

We run the Ubuntu version and make modifications to /etc/apache2/sites-enabled/default-ssl.conf with the following under the default VirtualHost:

                Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

                SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

                SSLHonorCipherOrder on

                ServerName sdmz-perfsonar-40g.boulder.noaa.gov

We also block port 80 with an ACL on the network device.

Alex Hsia ==============================================================
NOAA/OAR                                            Phone: (303)497-6351
Mailstop R/ESRL                                    GVoice: (303)536-5430
325 Broadway                                  e-mail:
Boulder, CO  80305                                   PGP keyid: 8A482A90
========================================================================

On Tue, Mar 5, 2019 at 2:15 PM Andrew Lake <> wrote:

Hi Brent,

You should be able to update the VirtualHost section /etc/httpd/conf.d/ssl.conf with the settings you want. They will be preserved between updates...which was not always true until a recent update. We re-shuffled the way perfSONAR manages SSL settings in the 4.1.5 release in December of last year specifically so users with this requirement could make the edits and not have them blasted every time we release a new version of perfSONAR. 

This may fall into the category of “too much information” but if you are wondering,  the perfSONAR RPMs put a default set of SSL settings in /etc/httpd/conf.d/apache-perfsonar-security.conf. These match the Mozilla Intermediate compatibility recommendation (https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29)  which are stronger than the Apache defaults but not as strong as the BOD. You can leave apache-perfsonar-security.conf alone since the RPM controls that. Anything the RPMs put there will get ignored in favor of your changes in the VirtualHost section of ssl.conf since the VirtualHost context takes precedence in Apache. 

Thanks,

Andy

On March 5, 2019 at 3:04:07 PM, Brent Draney () wrote:

Hi All,

Federal gov web servers are under a Binding Operational Directive that requires us to convert to HTTPS with strong(er) cyphers
and turn on HSTS. Is there a version of PerfSonar that meets the requirements that anyone is aware of or has anyone modified
their local config to meet BD 18-01? The link below gives more information about the BOD.

Thanks,
Brent

https://pulse.cio.gov/https/domains/#q=w--
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user

--
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user