diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2019-01-16 01:28:08 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2019-01-23 07:20:49 +0300 |
| commit | 54fd221a9139f46c7c95b4a22cc09e6e7ce4cbbc (patch) | |
| tree | 52434fe53be62969278ab5aaed901162348b3548 /include/ssl_key_handler.hpp | |
| parent | 671a717d738ac1a94f0f34cc3bf13d2618474d9e (diff) | |
| download | bmcweb-54fd221a9139f46c7c95b4a22cc09e6e7ce4cbbc.tar.xz | |
bmcweb: update SSL cipher suites to OWASP compatB
Previously, bmcweb was utilitizing the "mozilla compatibility" cipher
suites. This is overly lenient on broken ciphers and can cause some
issues with security reviews. In researching this, it looks like we
never actually documented that we follow Mozilla ciphers, aside from the
statement "The OpenBMC webserver shall follow the latest OWASP recommendations for
authentication, session management, and security." Considering that
we're moving _to_ OWASP recommendations, this commit is simply making us
follow the advice we already document, although this commit also updates
the documentation to be more clear.
Tested By:
Loaded on a BMC, opened web page in browser, and observed phosphor-webui
loaded correctly.
Change-Id: I912b35d378ce955c1472b2d54f1a365f6efea160
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Diffstat (limited to 'include/ssl_key_handler.hpp')
| -rw-r--r-- | include/ssl_key_handler.hpp | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp index 32d7a7368b..fc088ad01b 100644 --- a/include/ssl_key_handler.hpp +++ b/include/ssl_key_handler.hpp @@ -352,8 +352,23 @@ inline boost::asio::ssl::context getSslContext(const std::string &ssl_pem_file) std::string aesOnlyCiphers = "AES128+EECDH:AES128+EDH:!aNULL:!eNULL"; + // OWASP Cipher String 'B' (Broad compatibility to browsers) + // https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet + std::string owaspBroadCompatibility = "DHE-RSA-AES256-GCM-SHA384:" + "DHE-RSA-AES128-GCM-SHA256:" + "ECDHE-RSA-AES256-GCM-SHA384:" + "ECDHE-RSA-AES128-GCM-SHA256:" + "DHE-RSA-AES256-SHA256:" + "DHE-RSA-AES128-SHA256:" + "ECDHE-RSA-AES256-SHA384:" + "ECDHE-RSA-AES128-SHA256:" + "ECDHE-RSA-AES256-SHA:" + "ECDHE-RSA-AES128-SHA:" + "DHE-RSA-AES256-SHA:" + "DHE-RSA-AES128-SHA"; + if (SSL_CTX_set_cipher_list(mSslContext.native_handle(), - mozillaCompatibilityCiphers.c_str()) != 1) + owaspBroadCompatibility.c_str()) != 1) { BMCWEB_LOG_ERROR << "Error setting cipher list\n"; } |