[SAC] [OSGeo] #2926: Fix forward secrecy on osgeo9 and osgeo8 (was: Fix forward secrecy on osgeo9)

OSGeo trac_osgeo at osgeo.org
Fri Apr 28 18:49:43 PDT 2023


#2926: Fix forward secrecy on osgeo9 and osgeo8
---------------------------+---------------------------------------
 Reporter:  robe           |       Owner:  sac@…
     Type:  task           |      Status:  closed
 Priority:  normal         |   Milestone:  Sysadmin Contract 2023-I
Component:  Systems Admin  |  Resolution:  fixed
 Keywords:                 |
---------------------------+---------------------------------------
Changes (by robe):

 * status:  new => closed
 * resolution:   => fixed
 * summary:  Fix forward secrecy on osgeo9 => Fix forward secrecy on osgeo9
     and osgeo8

Comment:

 Was an issue on both osgeo8 and osgeo9. Had to add this line to the
 /etc/nginx/nginx.conf
 as noted in https://www.digicert.com/kb/ssl-support/ssl-enabling-perfect-
 forward-secrecy.htm


 {{{
 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

 }}}

 osgeo7 nginx doesn't have a ssl_ciphers setting yet it seems to be fine,
 so must be the defaults on nginx/1.18.0 (ubuntu) which is what osgeo7 is
 running vs. the nginx/1.18.0 (Debian bullseye) defaults are different and
 the ubuntu one is stricter.
-- 
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2926#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.


More information about the Sac mailing list