[Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites
Christian Heimes
cheimes at redhat.com
Fri Jan 29 13:42:02 UTC 2016
On 2016-01-28 09:47, Martin Basti wrote:
>
>
> On 22.01.2016 12:32, Martin Kosek wrote:
>> On 01/21/2016 04:21 PM, Christian Heimes wrote:
>>> The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf
>>> has been modernized. Insecure or less secure algorithms such as RC4,
>>> DES and 3DES are removed. Perfect forward secrecy suites with ephemeral
>>> ECDH key exchange have been added. IE 8 on Windows XP is no longer
>>> supported.
>>>
>>> The list of enabled cipher suites has been generated with the script
>>> contrib/nssciphersuite/nssciphersuite.py.
>>>
>>> The supported suites are currently:
>>>
>>> TLS_RSA_WITH_AES_128_CBC_SHA256
>>> TLS_RSA_WITH_AES_256_CBC_SHA256
>>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>> TLS_RSA_WITH_AES_128_GCM_SHA256
>>> TLS_RSA_WITH_AES_128_CBC_SHA
>>> TLS_RSA_WITH_AES_256_GCM_SHA384
>>> TLS_RSA_WITH_AES_256_CBC_SHA
>>>
>>> https://fedorahosted.org/freeipa/ticket/5589
>>
>> Thanks for the patch! I updated the ticket to make sure this change is
>> release notes.
>>
> Hello,
>
> I'm not sure if I'm the right person to do review on this, but I will
> try :-)
>
> 1)
> Your patch adds whitespace error
>
> Applying: Modernize mod_nss's cipher suites
> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:52: new blank
> line at EOF.
> +
> warning: 1 line adds whitespace errors.
>
>
> 2)
> +import urllib.request # pylint: disable=E0611
>
> Please specify pylint disabled check by name
>
> 3)
> +def update_mod_nss_cipher_suite(http):
>
> in this upgrade, is there any possibility that ciphers might be upgraded
> again in future? (IMO yes).
>
> I think, it can be better to store revision of change instead of boolean
>
> LAST_REVISION = 1
>
> if revision >= LAST_REVISION:
> return
>
> sysupgrade.set_upgrade_state('nss.conf', 'cipher_suite_revision',
> LAST_REVISION)
Thanks for the review. I have addressed the problems. Instead of a
revision number I'm using a date string. The sysupgrade module only
stores str and bool. With a date-based revision it's easy to see when
the cipher suite was checked last time.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-cheimes-0030-2-Modernize-mod_nss-s-cipher-suites.patch
Type: text/x-patch
Size: 12048 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160129/8cea5f1f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160129/8cea5f1f/attachment.sig>
More information about the Freeipa-devel
mailing list