diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2019-01-16 01:28:08 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2019-01-23 07:20:49 +0300 |
| commit | 54fd221a9139f46c7c95b4a22cc09e6e7ce4cbbc (patch) | |
| tree | 52434fe53be62969278ab5aaed901162348b3548 /DEVELOPING.md | |
| parent | 671a717d738ac1a94f0f34cc3bf13d2618474d9e (diff) | |
| download | bmcweb-54fd221a9139f46c7c95b4a22cc09e6e7ce4cbbc.tar.xz | |
bmcweb: update SSL cipher suites to OWASP compatB
Previously, bmcweb was utilitizing the "mozilla compatibility" cipher
suites. This is overly lenient on broken ciphers and can cause some
issues with security reviews. In researching this, it looks like we
never actually documented that we follow Mozilla ciphers, aside from the
statement "The OpenBMC webserver shall follow the latest OWASP recommendations for
authentication, session management, and security." Considering that
we're moving _to_ OWASP recommendations, this commit is simply making us
follow the advice we already document, although this commit also updates
the documentation to be more clear.
Tested By:
Loaded on a BMC, opened web page in browser, and observed phosphor-webui
loaded correctly.
Change-Id: I912b35d378ce955c1472b2d54f1a365f6efea160
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Diffstat (limited to 'DEVELOPING.md')
| -rw-r--r-- | DEVELOPING.md | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/DEVELOPING.md b/DEVELOPING.md index 6a920bc8a3..f06ae816ad 100644 --- a/DEVELOPING.md +++ b/DEVELOPING.md @@ -92,6 +92,10 @@ authentication, session management, and security. 9. ### Performance + TLS uses cipher suites from the "OWASP Cipher String 'B'" to maintain as + much compatibility as we can with modern browsers, while still keeping a + strong security posture. + The performance priorities for the OpenBMC webserver are (in order): 1. Code is readable and clear 2. Code follows secure guidelines |