Opened 20 months ago

Closed 20 months ago

#2926 closed task (fixed)

Fix forward secrecy on osgeo9 and osgeo8

Reported by: robe Owned by: sac@…
Priority: normal Milestone: Sysadmin Contract 2023-I
Component: SysAdmin Keywords:
Cc:

Description

osgeo9 server is getting a B score on SSLabs because of the forward secrecy setting

https://blog.qualys.com/product-tech/2018/02/02/forward-secrecy-authenticated-encryption-and-robot-grading-update?_ga=2.93270165.907080469.1682616254-892586743.1682616254

This affects all websites on osgeo9.

Change History (1)

comment:1 by robe, 20 months ago

Resolution: fixed
Status: newclosed
Summary: Fix forward secrecy on osgeo9Fix forward secrecy on osgeo9 and osgeo8

Was an issue on both osgeo8 and osgeo9. Had to add this line to the /etc/nginx/nginx.conf as noted in https://www.digicert.com/kb/ssl-support/ssl-enabling-perfect-forward-secrecy.htm 

ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

osgeo7 nginx doesn't have a ssl_ciphers setting yet it seems to be fine, so must be the defaults on nginx/1.18.0 (ubuntu) which is what osgeo7 is running vs. the nginx/1.18.0 (Debian bullseye) defaults are different and the ubuntu one is stricter.

Note: See TracTickets for help on using tickets.