Skip to content
Commit 67b89bdd authored by Josh Cooper's avatar Josh Cooper
Browse files

(PUP-3467) Update webrick ciphersuites to match passenger

Previously, puppet's webrick server did not specify which ciphersuites
it would accept. Depending on the ruby and openssl, the default set of
ciphersuites is:

    $ ruby -ropenssl -e 'puts OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]'
    ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Note that "ALL:!ADH" does not exclude AECDH, and the default param
string includes "LOW", e.g. DES-CBC-SHA.

This commit updates the webrick ciphersuites to match the value used
in passenger in commit 204b2974. The resulting ciphersuites are:

    [["DHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256],
     ["DHE-RSA-AES256-SHA256", "TLSv1/SSLv3", 256, 256],
     ["ECDHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256],
     ["ECDHE-RSA-AES256-SHA384", "TLSv1/SSLv3", 256, 256],
     ["DHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128],
     ["DHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128],
     ["ECDHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128],
     ["ECDHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128],
     ["DHE-RSA-CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256],
     ["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
     ["ECDHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
     ["DHE-RSA-CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128],
     ["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
     ["ECDHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
     ["CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256],
     ["AES256-SHA", "TLSv1/SSLv3", 256, 256],
     ["CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128],
     ["AES128-SHA", "TLSv1/SSLv3", 128, 128]]
parent cb6bc786
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment