-
Type:
Sub-task
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 6.0.0
-
Fix Version/s: 6.4.0
-
Component/s: Documentation
-
Labels:None
-
Pull Request URL:
-
Compatibility:Point
HPCC-15237 adds the ability to configure the list of ciphers that ESP will use with OpenSSL to negotiate with clients.
I have defaulted to "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5" for now. But now that its configurable people can play with suggested strings and determine what the default should really be and we can change it.
See:
http://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
And for general OpenSSL cipher information:
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_cipher_list.html