[Kimchi-devel] [PATCH] Security: Prevent Bar Mitzvah attacks by disabling RC4
Aline Manera
alinefm at linux.vnet.ibm.com
Tue Apr 7 19:29:48 UTC 2015
For reference:
- http://www.theregister.co.uk/2015/03/27/bar_mitzvah_crypto_attack/
Apparently, Kimchi does not support RC4.
$ curl -u <user:password> -H "Content-Type: application/json" -H
"Accept: application/json" https://localhost:8001/host --ciphers RC4
--tlsv1.1
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure
But as we've already started some discussion to replace nginx to other
reverse proxy, I prefer to have this configuration explicitily done to
make us aware about that issue in future.
Signed-off-by: Aline Manera <alinefm at linux.vnet.ibm.com>
---
src/nginx.conf.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/nginx.conf.in b/src/nginx.conf.in
index ed926a3..e308152 100644
--- a/src/nginx.conf.in
+++ b/src/nginx.conf.in
@@ -53,6 +53,7 @@ http {
ssl_certificate ${cert_pem};
ssl_certificate_key ${cert_key};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers ECDH at STRENGTH:DH at STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
add_header X-Frame-Options DENY;
--
2.1.0
More information about the Kimchi-devel
mailing list