[pve-devel] [PATCH manager 1/2] Update default CIPHERS to a more current list
Fabian Grünbichler
f.gruenbichler at proxmox.com
Thu Oct 11 16:48:50 CEST 2018
On Thu, Oct 11, 2018 at 12:05:19PM +0200, Rhonda D'Vine wrote:
> The default CIPHERS allowed for a fair amount of not really considered
> secure anymore connections. This updated cipher list is taken from
> mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS
>
> Signed-off-by: Rhonda D'Vine <rhonda at proxmox.com>
Reviewed-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
Please also update pve-docs.git/pveproxy.adoc , which still references
the old default ;)
> ---
> PVE/Service/pveproxy.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> index bb60b29e..b286931b 100755
> --- a/PVE/Service/pveproxy.pm
> +++ b/PVE/Service/pveproxy.pm
> @@ -106,7 +106,7 @@ sub init {
> method => 'any',
> sslv2 => 0,
> sslv3 => 0,
> - cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
> + cipher_list => $proxyconf->{CIPHERS} || 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
> key_file => '/etc/pve/local/pve-ssl.key',
> cert_file => '/etc/pve/local/pve-ssl.pem',
> },
> --
> 2.11.0
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list