(PUP-3467) Update webrick ciphersuites to match passenger
Previously, puppet's webrick server did not specify which ciphersuites it would accept. Depending on the ruby and openssl, the default set of ciphersuites is: $ ruby -ropenssl -e 'puts OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]' ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW Note that "ALL:!ADH" does not exclude AECDH, and the default param string includes "LOW", e.g. DES-CBC-SHA. This commit updates the webrick ciphersuites to match the value used in passenger in commit 204b2974. The resulting ciphersuites are: [["DHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256], ["DHE-RSA-AES256-SHA256", "TLSv1/SSLv3", 256, 256], ["ECDHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256], ["ECDHE-RSA-AES256-SHA384", "TLSv1/SSLv3", 256, 256], ["DHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128], ["DHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128], ["ECDHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128], ["ECDHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128], ["DHE-RSA-CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256], ["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256], ["ECDHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256], ["DHE-RSA-CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128], ["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128], ["ECDHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128], ["CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256], ["AES256-SHA", "TLSv1/SSLv3", 256, 256], ["CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128], ["AES128-SHA", "TLSv1/SSLv3", 128, 128]]
parent
cb6bc786
Please register or sign in to comment