[Koha-bugs] [Bug 25948] Clean up apache protocols and ciphers
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Jul 7 23:28:36 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25948
--- Comment #1 from M. Tompsett <mtompset at hotmail.com> ---
Created attachment 106645
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=106645&action=edit
Bug 25948: Clean up apache-site-https a little
- removed ECDHE-RSA-AES256-SHA384, as it downgrades to CBC use
https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/
- added DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
- added ECDHE-ECDSA-AES256-SHA384
- removed cut-off ECDHE-RSA-SA- and ECDHE-RSA-AES
- made OPAC and Intranet sections match
- removed TLSv1
https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/
https://www.entrustdatacard.com/blog/2018/november/deprecating-tls
- did not remove TLSv1.1 as this would break support for older browsers
probably still in use.
- did not add TLSv1.3 as it depends on OS used and version of openSSL if
it is supported or not.
This may break support for some things, but nothing semi-current. I
don't care about ie 11 on windows 8.1 phones, or safari 6-8.
Also, people using letsencrypt.org should look into using a DNS CAA record
for their opac site URL, issued by letsencrypt.org with flags set to 0.
This affects the installation using:
sudo koha-create --letsencrypt --create-db instance
BEFORE using this command recently, I needed to disable the
000-default site, and had to create a directory
/usr/share/koha/intranet/htdocs/.well-known/acme-challenge
which I also softlinked from
/usr/share/koha/opac/htdocs/.well-known/acme-challenge to
the intranet one.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list