From 5407b962f384d2a7f4e5c1367e36caf88b173981 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 15 Oct 2014 04:00:19 +0000 Subject: [PATCH] Set download servers to not use SSLv3 --- roles/download/files/httpd/dl.fedoraproject.org.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/download/files/httpd/dl.fedoraproject.org.conf b/roles/download/files/httpd/dl.fedoraproject.org.conf index b4ba2d4506..7be586cb1c 100644 --- a/roles/download/files/httpd/dl.fedoraproject.org.conf +++ b/roles/download/files/httpd/dl.fedoraproject.org.conf @@ -23,8 +23,9 @@ # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 # If you change the protocols or cipher suites, you should probably update # modules/squid/files/squid.conf-el6 too, to keep it in sync. - SSLProtocol +SSLv3 +TLSv1 - SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-SEED-SHA:AES256-GCM-SHA384:AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:CAMELLIA256-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:SEED-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA + + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK Include "conf.d/dl.fedoraproject.org/*.conf"