[SAC] [OSGeo] #2926: Fix forward secrecy on osgeo9 and osgeo8 (was: Fix forward secrecy on osgeo9)
OSGeo
trac_osgeo at osgeo.org
Fri Apr 28 18:49:43 PDT 2023
#2926: Fix forward secrecy on osgeo9 and osgeo8
---------------------------+---------------------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2023-I
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+---------------------------------------
Changes (by robe):
* status: new => closed
* resolution: => fixed
* summary: Fix forward secrecy on osgeo9 => Fix forward secrecy on osgeo9
and osgeo8
Comment:
Was an issue on both osgeo8 and osgeo9. Had to add this line to the
/etc/nginx/nginx.conf
as noted in https://www.digicert.com/kb/ssl-support/ssl-enabling-perfect-
forward-secrecy.htm
{{{
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
}}}
osgeo7 nginx doesn't have a ssl_ciphers setting yet it seems to be fine,
so must be the defaults on nginx/1.18.0 (ubuntu) which is what osgeo7 is
running vs. the nginx/1.18.0 (Debian bullseye) defaults are different and
the ubuntu one is stricter.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2926#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
More information about the Sac
mailing list