Harden opsiconfd? (disable TLS 1.0 and RC4 ciphers)

shade
Beiträge: 42
Registriert: 10 Aug 2012, 15:14

Harden opsiconfd? (disable TLS 1.0 and RC4 ciphers)

Beitragvon shade » 15 Mai 2018, 17:46

Hello,

Is it possible to harden the default setting for the opsiconfd web service (port 4447)? Like remove support for TLS 1.0 and disable RC4 cipher suites.

Can that be configured and can the opsiclient support that?

Regards
S

Benutzeravatar
n.wenselowski
Beiträge: 2823
Registriert: 04 Apr 2013, 12:15

Re: Harden opsiconfd? (disable TLS 1.0 and RC4 ciphers)

Beitragvon n.wenselowski » 05 Jun 2018, 17:12

Hi S,

shade hat geschrieben:Is it possible to harden the default setting for the opsiconfd web service (port 4447)? Like remove support for TLS 1.0 and disable RC4 cipher suites.

opsiconfd has an option accepted ciphers in it's config file that can be used to limit the ciphers that are accepted for the communication. There should be some examples in our forums already.
As for TLS we go with whatever the server has available and there currently isn't any configuration possible on that side. I took the somewhat lazy route that the OS lib probably will drop whatever is unsecure sooner or later as my last looks at that showed that it wasn't as straight forward to implement as I'd like it to have. Would you think that being able to configure to allowed TLS version would be useful anyway?


Kind regards

Niko
Kein Support per DM!
_________________________
opsi support - uib gmbh
For productive opsi installations we recommend support contracts.