From 18d4af9890bc3e4d9277accaa6a8d4bad7700f91 Mon Sep 17 00:00:00 2001 From: GONG Jie Date: Wed, 13 Mar 2019 17:11:21 +0800 Subject: [PATCH] Update document for ssl_config --- docs/source/advanced/security/ssl_config.rst | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/docs/source/advanced/security/ssl_config.rst b/docs/source/advanced/security/ssl_config.rst index 58f01bc3a..0c411e8d7 100644 --- a/docs/source/advanced/security/ssl_config.rst +++ b/docs/source/advanced/security/ssl_config.rst @@ -8,21 +8,13 @@ The configuration is stored in the xCAT site table using the ``site.xcatsslversi Configuration ------------- -By default, xCAT ships with ``TLSv1`` configured. The current highest SSL version that can be supported is ``TLSv1.2``. +``site.xcatsslversion`` is the ``SSL_version`` option ``xcatd`` used and passed to ``IO::Socket::SSL->start_SSL()``. By default, this value is set to empty. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally. For more detail, see https://metacpan.org/pod/IO::Socket::SSL +By default, xCAT ships with an empty value for ``site.xcatsslversion``. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally. -* For rhels7.x and sles12.x and higher: :: - - chtab key=xcatsslversion site.value=TLSv12 - -* For ubuntu 14.x and higher: :: +Here is an example of change ``site.xcatsslversoin`` to a different value. Say, TLS 1.2 is preferred. :: chtab key=xcatsslversion site.value=TLSv1_2 -* For AIX 7.1.3.x: :: - - chtab key=xcatsslversion site.value=TLSv1_2 - - If running > ``TLSv1``, it is possible to disable insecure ciphers. Here's an example of one possible configuration: :: "xcatsslciphers","kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!MEDIUM:!LOW:!MD5:!EXPORT:!CAMELLIA:!ECDH",,