[pve-devel] applied: [PATCH manager 1/2] Update default CIPHERS to a more current list

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Oct 17 08:12:29 CEST 2018


On 10/11/18 12:05 PM, Rhonda D'Vine wrote:
> The default CIPHERS allowed for a fair amount of not really considered
> secure anymore connections.  This updated cipher list is taken from
> mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS
> 
> Signed-off-by: Rhonda D'Vine <rhonda at proxmox.com>
> ---
>  PVE/Service/pveproxy.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> index bb60b29e..b286931b 100755
> --- a/PVE/Service/pveproxy.pm
> +++ b/PVE/Service/pveproxy.pm
> @@ -106,7 +106,7 @@ sub init {
>  	    method => 'any',
>  	    sslv2 => 0,
>  	    sslv3 => 0,
> -	    cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
> +	    cipher_list => $proxyconf->{CIPHERS} || 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
>  	    key_file => '/etc/pve/local/pve-ssl.key',
>  	    cert_file => '/etc/pve/local/pve-ssl.pem',
>  	},
> 

applied, thanks!




More information about the pve-devel mailing list