[Bug 1087369] New: Change default TLS configuration of lighttpd for better security out-of-the-box
http://bugzilla.opensuse.org/show_bug.cgi?id=1087369 Bug ID: 1087369 Summary: Change default TLS configuration of lighttpd for better security out-of-the-box Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Depends on: 1086764 Found By: --- Blocker: --- To comply with upcoming standards (PCI DSS) a default installation of nginx should only support TLS 1.1 and above (1.2 recommended / strongly encouraged): [0] https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-g...
30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.
For some more details refer to [1] https://bugzilla.suse.com/show_bug.cgi?id=1086764 Therefore the default should be changed in /etc/lighttpd/lighttpd.conf [2] https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL Configuration ====================== ssl.openssl.ssl-conf-cmd specify openssl config commands (e.g. ("Protocol" => "-ALL, TLSv1.2") restricts protocol to only TLS 1.2) (since 1.4.48) (commit https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/c09acbeb...) ====================== lighttpd version 1.4.48 is in openSUSE Tumbleweed and openSUSE Leap 15 only: https://software.opensuse.org/package/lighttpd Something to be like this in 'SSL Support' section of /etc/lighttpd/lighttpd.conf file: ============================ # Allow TLS version 1.2 only, which is a recommended default these days # by international information security standards. #ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2") ============================ See also: ============= [3] https://bugzilla.suse.com/show_bug.cgi?id=1086854 (Change default TLS configuration of apache2 for better security out-of-the-box) [4] https://bugzilla.suse.com/show_bug.cgi?id=1086855 (Change default TLS configuration of nginx for better security out-of-the-box) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1087369 http://bugzilla.opensuse.org/show_bug.cgi?id=1087369#c3 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Andreas.Stieger@gmx.de --- Comment #3 from Andreas Stieger <Andreas.Stieger@gmx.de> --- The upstream documentation already recommends a TLS 1.2 / TLS 1.3 combination. I do not see you changes in the .debian.tar.xz to be effective at all, meaning it will not be applied in the package. I threw this out, but can you please state whether you just want the option (documented default) or some other enforcement https://build.opensuse.org/request/show/738111 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1087369 http://bugzilla.opensuse.org/show_bug.cgi?id=1087369#c6 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #6 from Andreas Stieger <Andreas.Stieger@gmx.de> --- done -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com