Uploaded image for project: 'HPCC'
  1. HPCC
  2. HPCC-15148 ESP SSL encryption uses an obsolete cipher suite
  3. HPCC-15238

Document ESP HTTPS cipher list configuration

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 6.0.0
    • Fix Version/s: 6.4.0
    • Component/s: Documentation
    • Labels:
      None

      Description

      HPCC-15237 adds the ability to configure the list of ciphers that ESP will use with OpenSSL to negotiate with clients.

      I have defaulted to "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5" for now. But now that its configurable people can play with suggested strings and determine what the default should really be and we can change it.

      See:
      http://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
      https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

      And for general OpenSSL cipher information:

      https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_cipher_list.html

      https://www.openssl.org/docs/manmaster/apps/ciphers.html

        Attachments

          Activity

            People

            • Assignee:
              jamesdefabia Jim DeFabia
              Reporter:
              afishbeck Anthony Fishbeck
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: