Harden opsiconfd? (disable TLS 1.0 and RC4 ciphers)

Antworten
shade
Beiträge: 49
Registriert: 10 Aug 2012, 15:14

Harden opsiconfd? (disable TLS 1.0 and RC4 ciphers)

Beitrag von shade »

Hello,

Is it possible to harden the default setting for the opsiconfd web service (port 4447)? Like remove support for TLS 1.0 and disable RC4 cipher suites.

Can that be configured and can the opsiclient support that?

Regards
S
Benutzeravatar
n.wenselowski
Ex-uib-Team
Beiträge: 3194
Registriert: 04 Apr 2013, 12:15

Re: Harden opsiconfd? (disable TLS 1.0 and RC4 ciphers)

Beitrag von n.wenselowski »

Hi S,
shade hat geschrieben:Is it possible to harden the default setting for the opsiconfd web service (port 4447)? Like remove support for TLS 1.0 and disable RC4 cipher suites.
opsiconfd has an option accepted ciphers in it's config file that can be used to limit the ciphers that are accepted for the communication. There should be some examples in our forums already.
As for TLS we go with whatever the server has available and there currently isn't any configuration possible on that side. I took the somewhat lazy route that the OS lib probably will drop whatever is unsecure sooner or later as my last looks at that showed that it wasn't as straight forward to implement as I'd like it to have. Would you think that being able to configure to allowed TLS version would be useful anyway?


Kind regards

Niko

Code: Alles auswählen

import OPSI
Antworten