From a8d8783c9e665edcde78064ef92d4de2e536d6b2 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Mon, 8 Apr 2019 22:01:29 +0200 Subject: [PATCH] Add comment on why blacklist rather than whitelist Signed-off-by: Patrick Uiterwijk --- vars/global.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vars/global.yml b/vars/global.yml index a548b6e41d..272677e11b 100644 --- a/vars/global.yml +++ b/vars/global.yml @@ -52,6 +52,9 @@ centos66_x86_64: CentOS-6-x86_64-GenericCloud-20141129_01 rhel70_x86_64: rhel-guest-image-7.0-20140930.0.x86_64 rhel66_x86_64: rhel-guest-image-6.6-20141222.0.x86_64 +# Note: we do "all and blacklist" rather than whitelist to make sure we can use this +# same list on both EL7 and Fedora and get new ciphers: on Fedora, at time of writing, +# this includes TLSv1.3, which EL7 does not have. ssl_protocols: "+all -SSLv3 -TLSv1 -TLSv1.1" ssl_ciphers: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"