[PATCH] Security: Prevent Bar Mitzvah attacks by disabling RC4
For reference: - http://www.theregister.co.uk/2015/03/27/bar_mitzvah_crypto_attack/ Apparently, Kimchi does not support RC4. $ curl -u <user:password> -H "Content-Type: application/json" -H "Accept: application/json" https://localhost:8001/host --ciphers RC4 --tlsv1.1 curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure But as we've already started some discussion to replace nginx to other reverse proxy, I prefer to have this configuration explicitily done to make us aware about that issue in future. Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/nginx.conf.in | 1 + 1 file changed, 1 insertion(+) diff --git a/src/nginx.conf.in b/src/nginx.conf.in index ed926a3..e308152 100644 --- a/src/nginx.conf.in +++ b/src/nginx.conf.in @@ -53,6 +53,7 @@ http { ssl_certificate ${cert_pem}; ssl_certificate_key ${cert_key}; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; add_header X-Frame-Options DENY; -- 2.1.0
Reviewed-by: Rodrigo Trujillo <rodrigo.trujillo@linux.vnet.ibm.com> On 04/07/2015 04:29 PM, Aline Manera wrote:
For reference: - http://www.theregister.co.uk/2015/03/27/bar_mitzvah_crypto_attack/
Apparently, Kimchi does not support RC4.
$ curl -u <user:password> -H "Content-Type: application/json" -H "Accept: application/json" https://localhost:8001/host --ciphers RC4 --tlsv1.1 curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
But as we've already started some discussion to replace nginx to other reverse proxy, I prefer to have this configuration explicitily done to make us aware about that issue in future.
Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/nginx.conf.in | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/nginx.conf.in b/src/nginx.conf.in index ed926a3..e308152 100644 --- a/src/nginx.conf.in +++ b/src/nginx.conf.in @@ -53,6 +53,7 @@ http { ssl_certificate ${cert_pem}; ssl_certificate_key ${cert_key}; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; add_header X-Frame-Options DENY;
participants (2)
-
Aline Manera -
Rodrigo Trujillo