Reviewed-by: Rodrigo Trujillo <rodrigo.trujillo(a)linux.vnet.ibm.com>
On 04/07/2015 04:29 PM, Aline Manera wrote:
For reference:
-
http://www.theregister.co.uk/2015/03/27/bar_mitzvah_crypto_attack/
Apparently, Kimchi does not support RC4.
$ curl -u <user:password> -H "Content-Type: application/json" -H
"Accept: application/json"
https://localhost:8001/host --ciphers RC4
--tlsv1.1
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure
But as we've already started some discussion to replace nginx to other
reverse proxy, I prefer to have this configuration explicitily done to
make us aware about that issue in future.
Signed-off-by: Aline Manera <alinefm(a)linux.vnet.ibm.com>
---
src/nginx.conf.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/nginx.conf.in b/src/nginx.conf.in
index ed926a3..e308152 100644
--- a/src/nginx.conf.in
+++ b/src/nginx.conf.in
@@ -53,6 +53,7 @@ http {
ssl_certificate ${cert_pem};
ssl_certificate_key ${cert_key};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL;
add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";
add_header X-Frame-Options DENY;