From 71520e886f7edcc7eb2b91b959a512883b684910 Mon Sep 17 00:00:00 2001
From: "Czarnowski, Przemyslaw" <przemyslaw.hawrylewicz.czarnowski@intel.com>
Date: Mon, 24 May 2021 23:57:27 +0200
Subject: Forbid ECDHE-RSA-CHACHA20-POLY1305 with TLSv1.2

According to the latest recommendations obsolete cipher suites shall be
forbidden.

Tested:
Python HTTP server configured TLSv1.2 with ECDHE-RSA-CHACHA20-POLY1305
cipher can't be reached.

Change-Id: I370c125b28c4df4bba744ec63536aa8fdebb961d
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
---
 src/state/activating_state.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/state/activating_state.cpp')

diff --git a/src/state/activating_state.cpp b/src/state/activating_state.cpp
index 6cf9f68..22225a2 100644
--- a/src/state/activating_state.cpp
+++ b/src/state/activating_state.cpp
@@ -269,7 +269,8 @@ std::unique_ptr<resource::Process>
                                        "followlocation=false",
                                        "ssl-cipher-list=ALL:!eNULL:!aNULL:"
                                        "!AES256-GCM-SHA384:!AES128-GCM-SHA256:"
-                                       "!AES256-SHA256:!AES128-SHA256"};
+                                       "!AES256-SHA256:!AES128-SHA256:"
+                                       "!ECDHE-RSA-CHACHA20-POLY1305"};
 
     // Authenticate if needed
     if (machine.getTarget()->credentials)
-- 
cgit v1.2.3