[Bug 25948] New: Clean up apache protocols and ciphers
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25948 Bug ID: 25948 Summary: Clean up apache protocols and ciphers Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Installation and upgrade (command-line installer) Assignee: koha-bugs@lists.koha-community.org Reporter: mtompset@hotmail.com QA Contact: testopia@bugs.koha-community.org SSLCipherSuite was truncated and different between the OPAC and Intranet sections. While cleaning that up, removed TLSv1 as it is supposed to be deprecated already. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25948 --- Comment #1 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 106645 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=106645&action=edit Bug 25948: Clean up apache-site-https a little - removed ECDHE-RSA-AES256-SHA384, as it downgrades to CBC use https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/ - added DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 - added ECDHE-ECDSA-AES256-SHA384 - removed cut-off ECDHE-RSA-SA- and ECDHE-RSA-AES - made OPAC and Intranet sections match - removed TLSv1 https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-upda... https://www.entrustdatacard.com/blog/2018/november/deprecating-tls - did not remove TLSv1.1 as this would break support for older browsers probably still in use. - did not add TLSv1.3 as it depends on OS used and version of openSSL if it is supported or not. This may break support for some things, but nothing semi-current. I don't care about ie 11 on windows 8.1 phones, or safari 6-8. Also, people using letsencrypt.org should look into using a DNS CAA record for their opac site URL, issued by letsencrypt.org with flags set to 0. This affects the installation using: sudo koha-create --letsencrypt --create-db instance BEFORE using this command recently, I needed to disable the 000-default site, and had to create a directory /usr/share/koha/intranet/htdocs/.well-known/acme-challenge which I also softlinked from /usr/share/koha/opac/htdocs/.well-known/acme-challenge to the intranet one. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25948 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |mtompset@hotmail.com |ity.org | Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25948 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- Comment on attachment 106645 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=106645 Bug 25948: Clean up apache-site-https a little Review of attachment 106645: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=25948&attachment=106645) ----------------------------------------------------------------- ::: debian/templates/apache-site-https.conf.in @@ +12,4 @@
# OPAC <VirtualHost *:80> #https # SSLEngine on +# SSLProtocol -all +TLSv1.2 +TLSv1.1
TLSv1.1 is deprecated now too Should include +TLSv1.3 @@ +39,4 @@
# Intranet <VirtualHost *:80> #https # SSLEngine on +# SSLProtocol -all +TLSv1.2 +TLSv1.1
TLSv1.1 is deprecated now too Should include +TLSv1.3 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25948 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #3 from David Cook <dcook@prosentient.com.au> --- It's great to see some updates here -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25948 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m --- Comment #4 from Fridolin Somers <fridolin.somers@biblibre.com> ---
TLSv1.1 is deprecated now too Should include +TLSv1.3 Still valid ?
-- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25948 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- I took care of SSLProtocol on bug 34193 but the SSLCipherSuite probably could use some love... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25948 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org