TLS cipher suite changes on master

Tanous, Ed ed.tanous at intel.com
Sat Jan 19 10:51:24 AEDT 2019


I'd like to draw people's attention to a patchset for bmcweb here:
https://gerrit.openbmc-project.xyz/#/c/openbmc/bmcweb/+/17390/

This is updating the bmcweb cipher suites to more secure values, and in turn deprecating support for some older framework that we might have as clients.  As stated in the patch, we are following OWASP "B" cipher suite recommendations, although I would like to see us move to "A" in the near future.  I have tested several browsers, and several OpenSSL versions, and they seem to work.  I'm bringing attention to this to mention that if people see issues in HTTPS in the next week or so, they are likely the result of this change, and to report them so we can get them resolved.  The most likely culprit is going to be out of date crypto frameworks (think pyCrypto type) that don't have support for SHA256.  If we lose compatibility for anything important, we need to get it identified so we can roll back the changes, or get frameworks up to date.  In most cases, it will give a very unhelpful "Unable to make secure connection" or "No shared cipher suites" message, which is pretty cryptic if you don't know what to look for.

Hopefully this goes off without a hitch, and this email was unnecessary, but in the case that I've made an error, hopefully this warning will save people some time.

-Ed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190118/b005deea/attachment.html>


More information about the openbmc mailing list