Update document for ssl_config

2025-10-31 11:22:27 +00:00 · 2019-03-13 17:11:21 +08:00
parent 26c27cc55e
commit 18d4af9890
1 changed files with 3 additions and 11 deletions
--- a/docs/source/advanced/security/ssl_config.rst
+++ b/docs/source/advanced/security/ssl_config.rst
@@ -8,21 +8,13 @@ The configuration is stored in the xCAT site table using the ``site.xcatsslversi
 Configuration
 -------------

-By default, xCAT ships with ``TLSv1`` configured.  The current highest SSL version that can be supported is ``TLSv1.2``.
+``site.xcatsslversion`` is the ``SSL_version`` option ``xcatd`` used and passed to ``IO::Socket::SSL->start_SSL()``. By default, this value is set to empty. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally. For more detail, see https://metacpan.org/pod/IO::Socket::SSL
+By default, xCAT ships with an empty value for ``site.xcatsslversion``. In this case, ``xcatd`` will use ``SSLv23:!SSLv2:!SSLv3:!TLSv1`` internally.

-* For rhels7.x and sles12.x and higher: ::
-
-    chtab key=xcatsslversion site.value=TLSv12
-
-* For ubuntu 14.x and higher: ::
+Here is an example of change ``site.xcatsslversoin`` to a different value. Say, TLS 1.2 is preferred. ::

    chtab key=xcatsslversion site.value=TLSv1_2

-* For AIX 7.1.3.x: ::
-
-    chtab key=xcatsslversion site.value=TLSv1_2
-
-
 If running > ``TLSv1``, it is possible to disable insecure ciphers.  Here's an example of one possible configuration: ::

    "xcatsslciphers","kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!MEDIUM:!LOW:!MD5:!EXPORT:!CAMELLIA:!ECDH",,