Increasing HTTPS security on FOG
|
2020-05-12, 15:30
Post: #1
|
|||
|
|||
Increasing HTTPS security on FOG
Hi,
I am looking into increasing the SSL level on my FOG server (which utilizes iPXE) It ships with iPXE 1.20.1 according to my attempts to boot. I am hosting the HTTPS in Apache2 I can disable SSLv3, TLSv1, TLSv1.1 but from what I can tell iPXE lacks support for TLSv1.3 so I cannot disable TLSv1.2. Can this be confirmed? Also when I use this following Ciphersuite # SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 PXE fails to boot where as the built in suite SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA boots successfully. What am I missing specifically that its both secure and supported by iPXE. Thanks! |
|||
2020-05-14, 05:51
Post: #2
|
|||
|
|||
RE: Increasing HTTPS security on FOG
I recommend that you take a look at existing messages at the mailing list, and also github pullrequests.
Simply, iPXE do not have the latest SSL features. Use GitHub Discussions VRAM bin |
|||
« Next Oldest | Next Newest »
|
User(s) browsing this thread: 2 Guest(s)