2
0
mirror of https://github.com/xcat2/xcat-core.git synced 2025-09-09 03:38:16 +00:00

Tighten some security parameters

This commit is contained in:
Jarrod Johnson
2018-06-06 14:23:04 -04:00
parent 85c8bc092f
commit 295757c8ef
2 changed files with 4 additions and 3 deletions

View File

@@ -1517,8 +1517,8 @@ until ($quit) {
populate_site_hash();
my %extrasslargs;
if ($::XCATSITEVALS{xcatsslversion}) { $extrasslargs{SSL_version} = $::XCATSITEVALS{xcatsslversion}; }
if ($::XCATSITEVALS{xcatsslciphers}) { $extrasslargs{SSL_cipher_list} = $::XCATSITEVALS{xcatsslciphers}; }
#if ($::XCATSITEVALS{xcatsslversion}) { $extrasslargs{SSL_version} = $::XCATSITEVALS{xcatsslversion}; }
if ($::XCATSITEVALS{xcatsslciphers}) { $extrasslargs{SSL_cipher_list} = $::XCATSITEVALS{xcatsslciphers}; } else { $extrasslargs{SSL_cipher_list} = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384"; }
use Data::Dumper;
$SIG{ALRM} = sub { $ssltimeout = 1; die; };
@@ -1528,6 +1528,7 @@ until ($quit) {
SSL_key_file => $xcatdir . "/cert/server-cred.pem",
SSL_cert_file => $xcatdir . "/cert/server-cred.pem",
SSL_ca_file => $xcatdir . "/cert/ca.pem",
SSL_ecdh_curve => 'prime256v1',
SSL_server => 1,
SSL_verify_mode => 1,
%extrasslargs,

View File

@@ -67,7 +67,7 @@ cert_opt = ca_default # Certificate field options
default_days = 7300 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look