TLS cipher suite changes on master
Ed Tanous
ed.tanous at intel.com
Sat Feb 23 04:28:56 AEDT 2019
FYI, This change was attempted again this morning. Be on the lookout.
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/18083
-Ed
On 1/18/19 3:51 PM, Tanous, Ed wrote:
> I’d like to draw people’s attention to a patchset for bmcweb here:
>
> https://gerrit.openbmc-project.xyz/#/c/openbmc/bmcweb/+/17390/
>
>
>
> This is updating the bmcweb cipher suites to more secure values, and in
> turn deprecating support for some older framework that we might have as
> clients. As stated in the patch, we are following OWASP “B” cipher
> suite recommendations, although I would like to see us move to “A” in
> the near future. I have tested several browsers, and several OpenSSL
> versions, and they seem to work. I’m bringing attention to this to
> mention that if people see issues in HTTPS in the next week or so, they
> are likely the result of this change, and to report them so we can get
> them resolved. The most likely culprit is going to be out of date
> crypto frameworks (think pyCrypto type) that don’t have support for
> SHA256. If we lose compatibility for anything important, we need to get
> it identified so we can roll back the changes, or get frameworks up to
> date. In most cases, it will give a very unhelpful “Unable to make
> secure connection” or “No shared cipher suites” message, which is pretty
> cryptic if you don’t know what to look for.
>
>
>
> Hopefully this goes off without a hitch, and this email was unnecessary,
> but in the case that I’ve made an error, hopefully this warning will
> save people some time.
>
>
>
> -Ed
>
More information about the openbmc
mailing list