]> granicus.if.org Git - icinga2/commitdiff
API: Harden default cipher list
authorMichael Friedrich <michael.friedrich@icinga.com>
Mon, 3 Jun 2019 16:09:57 +0000 (18:09 +0200)
committerMichael Friedrich <michael.friedrich@icinga.com>
Wed, 5 Jun 2019 07:55:43 +0000 (09:55 +0200)
According to https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/

doc/09-object-types.md
lib/remote/apilistener.ti

index 660b1e34b941441d5887af5e7712f6819e055729..8c1eb59cc270f460a7def297cdbc4b6b971fcd66 100644 (file)
@@ -1121,7 +1121,7 @@ Configuration Attributes:
   accept\_config                        | Boolean               | **Optional.** Accept zone configuration. Defaults to `false`.
   accept\_commands                      | Boolean               | **Optional.** Accept remote commands. Defaults to `false`.
   max\_anonymous\_clients               | Number                | **Optional.** Limit the number of anonymous client connections (not configured endpoints and signing requests).
-  cipher\_list                          | String                | **Optional.** Cipher list that is allowed. For a list of available ciphers run `openssl ciphers`. Defaults to `ALL:!LOW:!WEAK:!MEDIUM:!EXP:!NULL`.
+  cipher\_list                          | String                | **Optional.** Cipher list that is allowed. For a list of available ciphers run `openssl ciphers`. Defaults to `ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256`.
   tls\_protocolmin                      | String                | **Optional.** Minimum TLS protocol version. Since v2.11, only `TLSv1.2` is supported. Defaults to `TLSv1.2`.
   tls\_handshake\_timeout               | Number                | **Optional.** TLS Handshake timeout. Defaults to `10s`.
   access\_control\_allow\_origin        | Array                 | **Optional.** Specifies an array of origin URLs that may access the API. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Origin)
index 20f59bb12fab691fa202b10c34890ca5c22fcf2f..4217ce0ab16ebd16fc81f1900f6655cc824fa6c9 100644 (file)
@@ -18,7 +18,7 @@ class ApiListener : ConfigObject
        [config, deprecated] String ca_path;
        [config] String crl_path;
        [config] String cipher_list {
-               default {{{ return "ALL:!LOW:!WEAK:!MEDIUM:!EXP:!NULL"; }}}
+               default {{{ return "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; }}}
        };
        [config] String tls_protocolmin {
                default {{{ return "TLSv1.2"; }}}