Tighten some security parameters

2025-09-29 21:48:11 +00:00 · 2018-06-06 14:23:04 -04:00
parent 85c8bc092f
commit 295757c8ef
2 changed files with 4 additions and 3 deletions
--- a/xCAT-server/sbin/xcatd
+++ b/xCAT-server/sbin/xcatd
@@ -1517,8 +1517,8 @@ until ($quit) {

        populate_site_hash();
        my %extrasslargs;
-        if ($::XCATSITEVALS{xcatsslversion}) { $extrasslargs{SSL_version} = $::XCATSITEVALS{xcatsslversion}; }
-        if ($::XCATSITEVALS{xcatsslciphers}) { $extrasslargs{SSL_cipher_list} = $::XCATSITEVALS{xcatsslciphers}; }
+	#if ($::XCATSITEVALS{xcatsslversion}) { $extrasslargs{SSL_version} = $::XCATSITEVALS{xcatsslversion}; }
+        if ($::XCATSITEVALS{xcatsslciphers}) { $extrasslargs{SSL_cipher_list} = $::XCATSITEVALS{xcatsslciphers}; } else { $extrasslargs{SSL_cipher_list} = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384"; }
        use Data::Dumper;

        $SIG{ALRM} = sub { $ssltimeout = 1; die; };
@@ -1528,6 +1528,7 @@ until ($quit) {
                SSL_key_file    => $xcatdir . "/cert/server-cred.pem",
                SSL_cert_file   => $xcatdir . "/cert/server-cred.pem",
                SSL_ca_file     => $xcatdir . "/cert/ca.pem",
+		SSL_ecdh_curve => 'prime256v1',
                SSL_server      => 1,
                SSL_verify_mode => 1,
                %extrasslargs,
--- a/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
+++ b/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
@@ -67,7 +67,7 @@ cert_opt 	= ca_default		# Certificate field options

 default_days	= 7300			# how long to certify for
 default_crl_days= 30			# how long before next CRL
-default_md	= sha1			# which md to use.
+default_md	= sha256		# which md to use.
 preserve	= no			# keep passed DN ordering

 # A few difference way of specifying how similar the request should look