From 12dfca542800102a3fb28698086535cd2cca3ade Mon Sep 17 00:00:00 2001 From: Ed Tanous Date: Wed, 14 Jun 2023 11:20:54 -0700 Subject: Upgrade to mozilla intermediate 5.7 Mozilla intermediate 5.7 was released last month[1] The last release to these was 3 years ago, so we haven't really had to update much. Update cipher suites to match new list for mozilla intermediate. Note, the variable is called "mozilla modern" but it hasn't tracked the modern recommendations for some time. Tested: testssl.sh, from the master branch (864877df) Returns a passing result, showing no change in supported products, and the cipher suites correctly applied. Redfish service validator shows no change in result. [1] https://ssl-config.mozilla.org/guidelines/5.7.json [2] https://github.com/mozilla/ssl-config-generator/tree/master/src/static/guidelines Tested: WIP Change-Id: Ie9ccb7757ae527fa3ac129f781ae32657c7dfdd9 Signed-off-by: Ed Tanous --- include/ssl_key_handler.hpp | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'include') diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp index 71528417de..bb2600c49c 100644 --- a/include/ssl_key_handler.hpp +++ b/include/ssl_key_handler.hpp @@ -459,16 +459,15 @@ inline std::shared_ptr BMCWEB_LOG_ERROR << "Error setting tmp ecdh list\n"; } - std::string mozillaModern = "ECDHE-ECDSA-AES256-GCM-SHA384:" + std::string mozillaModern = "ECDHE-ECDSA-AES128-GCM-SHA256:" + "ECDHE-RSA-AES128-GCM-SHA256:" + "ECDHE-ECDSA-AES256-GCM-SHA384:" "ECDHE-RSA-AES256-GCM-SHA384:" "ECDHE-ECDSA-CHACHA20-POLY1305:" "ECDHE-RSA-CHACHA20-POLY1305:" - "ECDHE-ECDSA-AES128-GCM-SHA256:" - "ECDHE-RSA-AES128-GCM-SHA256:" - "ECDHE-ECDSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA384:" - "ECDHE-ECDSA-AES128-SHA256:" - "ECDHE-RSA-AES128-SHA256"; + "DHE-RSA-AES128-GCM-SHA256:" + "DHE-RSA-AES256-GCM-SHA384:" + "DHE-RSA-CHACHA20-POLY1305"; if (SSL_CTX_set_cipher_list(mSslContext->native_handle(), mozillaModern.c_str()) != 1) -- cgit v1.2.3