[heroes] FYI2: SSL enhancements
Hi again One of the recommendations of the latest security scans by MF-IT was to enhance the cipher suite settings and allowed SSL protocol settings for the Web-Services. I used the "intermediate" settings generated from here: https://ssl-config.mozilla.org/ to update the configurations of (hopefully) all services that allow SSL connections. If you encounter any problems (with still supported) browsers or tools, feel free to contact me directly (kl_eisbaer in IRC or via Email). Thanks, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
HI Lars, Am 29.11.19 um 00:57 schrieb Lars Vogdt:
One of the recommendations of the latest security scans by MF-IT was to enhance the cipher suite settings and allowed SSL protocol settings for the Web-Services.
Cool, thank you.
all services that allow SSL connections.
Do we/you have a list / overview of those :-)? It might make sense to monitor those for: - certificate expiration - cipher suite settings (to stay up on speed on security) Best regards, Karol Babioch
Am Fri, 29 Nov 2019 07:07:41 +0100
schrieb Karol Babioch
Do we/you have a list / overview of those :-)?
Well: partly ;-) All I have so far are the results of the scan - and this list only includes services which ended on the radar of the scanner...
It might make sense to monitor those for:
- certificate expiration - cipher suite settings (to stay up on speed on security)
Agreed. It even makes sense to deploy the settings via Salt... ;-) For both of your questions even exist functional monitoring checks - they just need to be enabled for the right service. In short: I'm working on it. Sadly not as fast as I want to. But even slow progress is progress here. There are others (even big companies) who still have year old settings... Regards, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hello, Am Freitag, 29. November 2019, 10:42:20 CET schrieb Lars Vogdt:
Am Fri, 29 Nov 2019 07:07:41 +0100 schrieb Karol Babioch:
Do we/you have a list / overview of those :-)?
Well: partly ;-) All I have so far are the results of the scan - and this list only includes services which ended on the radar of the scanner...
I'd say the list isn't too long if you look at the endpoints: - anna - elsa - daffy1 - daffy2 - status.o.o - status2.o.o - download.o.o - provo-mirror - OBS (not in the heroes network) Maybe I missed a single system which doesn't get routed via proxy.o.o or login2.o.o, but the fact that most services get routed via haproxy or login2.o.o makes this much easier. The alternative solution is to monitor all the domains listed in pillar/id/*, but maybe that's a bit too much. (www.o.o, news, lizards, bugzilla and forums still have terribly old SSL settings, but that's something to fix after migrating them away from MF-IT.)
It might make sense to monitor those for:
- certificate expiration - cipher suite settings (to stay up on speed on security)
Agreed. It even makes sense to deploy the settings via Salt... ;-)
Indeed.
For both of your questions even exist functional monitoring checks - they just need to be enabled for the right service.
See above ;-)
In short: I'm working on it. Sadly not as fast as I want to. But even slow progress is progress here.
Yeah, thanks for working on this! Regards, Christian Boltz -- [Netscape 4] Wer heute noch mit nem Browser rumsurft, der Standards von 1998 nicht korrekt umzusetzen vermag, der soll ruhig ein bisserl drunter leiden, nicht nur der Webdesigner ;-) [Manfred Tremmel in suse-linux] -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
participants (4)
-
Christian Boltz -
Karol Babioch -
Lars Vogdt -
Lars Vogdt