Project

General

Profile

Tâche #11337

Distribution EOLE - Scénario #10951: Désactiver le protocole SSLv3 sur les services web

Désactiver le SSLv3 sur Nginx

Added by Joël Cuissinat over 6 years ago. Updated over 6 years ago.

Status:
Fermé
Priority:
Normal
Assigned To:
Start date:
04/20/2015
Due date:
% Done:

100%

Estimated time:
3.00 h
Spent time:
Remaining (hours):
0.0

Related issues

Related to Distribution EOLE - Scénario #11870: Corriger la mise à jour du paquet eole-flask lors de l'Upgrade du module Amon de 2.4.0 vers 2.4.1 Terminé (Sprint) 06/01/2015 06/19/2015

Associated revisions

Revision 1f41f320 (diff)
Added by Joël Cuissinat over 6 years ago

Désactivation du protocole SSLv3 pour Nginx

  • tmpl/nginx.default : ajout de "ssl_protocols TLSv1;"

Ref: #11337 @2h

Revision 3a5fda9c (diff)
Added by Joël Cuissinat over 6 years ago

Ajout d'un fichier conf.d pour désactiver le protocole SSLv3

  • nosslv3.conf : fichier contenant la directive désactivant le protocole
  • eoleflask.mk : installation du fichier dans /etc/nginx/conf.d

Ref: #11337 @30m

Revision 6264bfe1 (diff)
Added by Joël Cuissinat over 6 years ago

Prise en compte de /etc/nginx/conf.d dans le packaging

  • debian/eole-flask.install : ajout de "etc/nginx/conf.d"

Ref: #11337 @10m

Revision 96640776 (diff)
Added by Joël Cuissinat over 6 years ago

Prise en compte de /etc/nginx/conf.d dans le packaging

  • debian/eole-flask.install : ajout de "etc/nginx/conf.d"

Ref: #11337 @5m [2.5.0]

History

#1 Updated by Laurent Flori over 6 years ago

  • Assigned To set to Laurent Flori

#2 Updated by Daniel Dehennin over 6 years ago

  • Status changed from Nouveau to En cours

#3 Updated by Joël Cuissinat over 6 years ago

  • Assigned To changed from Laurent Flori to Joël Cuissinat

#4 Updated by Joël Cuissinat over 6 years ago

  • % Done changed from 0 to 100

#5 Updated by Joël Cuissinat over 6 years ago

  • Status changed from En cours to Résolu
  • Remaining (hours) changed from 3.0 to 0.25

#6 Updated by Daniel Dehennin over 6 years ago

  • Status changed from Résolu to Fermé
  • Remaining (hours) changed from 0.25 to 0.0

Ok avec eole-flask version 2.4.1-16 en eole-2.4.1-proposed-updates

gnutls-cli-debug -p 7000 scribe.ac-test.fr
GnuTLS debug client 3.3.15
Checking scribe.ac-test.fr:7000
unknown protocol afs3-fileserver
                             for SSL 3.0 (RFC6101) support... no
                        whether we need to disable TLS 1.2... no
                        whether we need to disable TLS 1.1... no
                        whether we need to disable TLS 1.0... no
                        whether %NO_EXTENSIONS is required... no
                               whether %COMPAT is required... no
                             for TLS 1.0 (RFC2246) support... yes
                             for TLS 1.1 (RFC4346) support... no
                                  fallback from TLS 1.1 to... TLS 1.0
                             for TLS 1.2 (RFC5246) support... no
                               for certificate chain order... sorted
                  for safe renegotiation (RFC5746) support... yes
                           for heartbeat (RFC6520) support... no
                       for version rollback bug in RSA PMS... no
                  for version rollback bug in Client Hello... no
            whether the server ignores the RSA PMS version... no
            whether small records (512 bytes) are accepted... yes
    whether cipher suites not in SSL 3.0 spec are accepted... yes
whether a bogus TLS record version in the client hello is accepted... yes
         whether the server understands TLS closure alerts... partially
            whether the server supports session resumption... no
                      for anonymous authentication support... no
                      for ephemeral Diffie-Hellman support... yes
                   for ephemeral EC Diffie-Hellman support... yes
                    ephemeral EC Diffie-Hellman group info... SECP256R1
                  for AES-128-GCM cipher (RFC5288) support... no
                  for AES-128-CBC cipher (RFC3268) support... yes
             for CAMELLIA-128-GCM cipher (RFC6367) support... no
             for CAMELLIA-128-CBC cipher (RFC5932) support... yes
                     for 3DES-CBC cipher (RFC2246) support... yes
                  for ARCFOUR 128 cipher (RFC2246) support... no
                                       for MD5 MAC support... no
                                      for SHA1 MAC support... yes
                                    for SHA256 MAC support... no
                              for ZLIB compression support... no
                     for max record size (RFC6066) support... no
                for OCSP status response (RFC6066) support... no
              for OpenPGP authentication (RFC6091) support... no

Also available in: Atom PDF