[Kimchi-devel] [PATCH] Security: Prevent Bar Mitzvah attacks by disabling RC4
Rodrigo Trujillo
rodrigo.trujillo at linux.vnet.ibm.com
Tue Apr 7 19:40:05 UTC 2015
Reviewed-by: Rodrigo Trujillo <rodrigo.trujillo at linux.vnet.ibm.com>
On 04/07/2015 04:29 PM, Aline Manera wrote:
> For reference:
> - http://www.theregister.co.uk/2015/03/27/bar_mitzvah_crypto_attack/
>
> Apparently, Kimchi does not support RC4.
>
> $ curl -u <user:password> -H "Content-Type: application/json" -H
> "Accept: application/json" https://localhost:8001/host --ciphers RC4
> --tlsv1.1
> curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure
>
> But as we've already started some discussion to replace nginx to other
> reverse proxy, I prefer to have this configuration explicitily done to
> make us aware about that issue in future.
>
> Signed-off-by: Aline Manera <alinefm at linux.vnet.ibm.com>
> ---
> src/nginx.conf.in | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/nginx.conf.in b/src/nginx.conf.in
> index ed926a3..e308152 100644
> --- a/src/nginx.conf.in
> +++ b/src/nginx.conf.in
> @@ -53,6 +53,7 @@ http {
> ssl_certificate ${cert_pem};
> ssl_certificate_key ${cert_key};
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> + ssl_ciphers ECDH at STRENGTH:DH at STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL;
>
> add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
> add_header X-Frame-Options DENY;
More information about the Kimchi-devel
mailing list