[SAC] [OSGeo] #2926: Fix forward secrecy on osgeo9

Committees SAC SAC mailing list
1

#2926: Fix forward secrecy on osgeo9
---------------------------+--------------------------------------
Reporter: robe | Owner: sac@…
     Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2023-I
Component: Systems Admin | Keywords:
---------------------------+--------------------------------------
osgeo9 server is getting a B score on SSLabs because of the forward
secrecy setting

https://blog.qualys.com/product-tech/2018/02/02/forward-secrecy-
authenticated-encryption-and-robot-grading-
update?_ga=2.93270165.907080469.1682616254-892586743.1682616254

This affects all websites on osgeo9.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2926&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.

2

#2926: Fix forward secrecy on osgeo9 and osgeo8
---------------------------+---------------------------------------
Reporter: robe | Owner: sac@…
     Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2023-I
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+---------------------------------------
Changes (by robe):

* status: new => closed
* resolution: => fixed
* summary: Fix forward secrecy on osgeo9 => Fix forward secrecy on osgeo9
     and osgeo8

Comment:

Was an issue on both osgeo8 and osgeo9. Had to add this line to the
/etc/nginx/nginx.conf
as noted in https://www.digicert.com/kb/ssl-support/ssl-enabling-perfect-
forward-secrecy.htm

{{{
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

}}}

osgeo7 nginx doesn't have a ssl_ciphers setting yet it seems to be fine,
so must be the defaults on nginx/1.18.0 (ubuntu) which is what osgeo7 is
running vs. the nginx/1.18.0 (Debian bullseye) defaults are different and
the ubuntu one is stricter.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2926#comment:1&gt;
OSGeo <https://osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.