From b9e1047161726e66ae8364b1a0f7002143f20ff7 Mon Sep 17 00:00:00 2001
From: Karol Wachowski <karol.wachowski@intel.com>
Date: Wed, 18 Nov 2020 15:03:40 +0000
Subject: Remove unsuported cipher suits form legacy HTTPS

Removed following cipher suits:
* AES256-GCM-SHA384
* AES128-GCM-SHA256
* AES256-SHA256
* AES128-SHA256

Tested: - verified manually that listed ciphers are not accepted
	- verified manually that it is possible to mount HTTPS resource
	  using TLS version >= 1.1 and other ciphers

Change-Id: If41dfc8fa8439a1be1fd61dbb639595523a7157d
Signed-off-by: Karol Wachowski <karol.wachowski@intel.com>
---
 src/state/activating_state.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/state/activating_state.cpp b/src/state/activating_state.cpp
index 8b69fac..9cbd324 100644
--- a/src/state/activating_state.cpp
+++ b/src/state/activating_state.cpp
@@ -234,7 +234,10 @@ std::unique_ptr<resource::Process>
                                        "url=" + url,
                                        // custom OpenBMC path for CA
                                        "capath=/etc/ssl/certs/authority",
-                                       "ssl-version=tlsv1.1"};
+                                       "ssl-version=tlsv1.1",
+                                       "ssl-cipher-list=ALL:!eNULL:!aNULL:"
+                                       "!AES256-GCM-SHA384:!AES128-GCM-SHA256:"
+                                       "!AES256-SHA256:!AES128-SHA256"};
 
     // Authenticate if needed
     if (machine.getTarget()->credentials)
-- 
cgit v1.2.3