Opened 13 days ago

#32351 new task

review our ssl ciphers suite

Reported by: anarcat Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We currently use magic incantation from the Mozilla SSL observatory in our Apache (and now nginx, see #32239) installations. We should review it and see if it's still relevant. It seems we're using the suites as per the Mozilla observatory, but since we're upgrading to buster, it might be worth upgrading our suite a little.

The documentation in the file mentions those URLs:

https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.0.2l&hsts=yes&profile=intermediate
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.1.0&hsts=no&profile=intermediate

But that's *two* lists... maybe what we have is the merged one?

In any case, this probably needs a kick. The list was created in 2014 and last touched in 2018, according to the comments in the apache config.

Unless we have per openssl-version configs, this will have to wait until #29399 is done at least.

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.