* TLS cipher suite changes on master
@ 2019-01-18 23:51 Tanous, Ed
2019-02-22 17:28 ` Ed Tanous
0 siblings, 1 reply; 2+ messages in thread
From: Tanous, Ed @ 2019-01-18 23:51 UTC (permalink / raw
To: OpenBMC Maillist
[-- Attachment #1: Type: text/plain, Size: 1337 bytes --]
I'd like to draw people's attention to a patchset for bmcweb here:
https://gerrit.openbmc-project.xyz/#/c/openbmc/bmcweb/+/17390/
This is updating the bmcweb cipher suites to more secure values, and in turn deprecating support for some older framework that we might have as clients. As stated in the patch, we are following OWASP "B" cipher suite recommendations, although I would like to see us move to "A" in the near future. I have tested several browsers, and several OpenSSL versions, and they seem to work. I'm bringing attention to this to mention that if people see issues in HTTPS in the next week or so, they are likely the result of this change, and to report them so we can get them resolved. The most likely culprit is going to be out of date crypto frameworks (think pyCrypto type) that don't have support for SHA256. If we lose compatibility for anything important, we need to get it identified so we can roll back the changes, or get frameworks up to date. In most cases, it will give a very unhelpful "Unable to make secure connection" or "No shared cipher suites" message, which is pretty cryptic if you don't know what to look for.
Hopefully this goes off without a hitch, and this email was unnecessary, but in the case that I've made an error, hopefully this warning will save people some time.
-Ed
[-- Attachment #2: Type: text/html, Size: 3383 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: TLS cipher suite changes on master
2019-01-18 23:51 TLS cipher suite changes on master Tanous, Ed
@ 2019-02-22 17:28 ` Ed Tanous
0 siblings, 0 replies; 2+ messages in thread
From: Ed Tanous @ 2019-02-22 17:28 UTC (permalink / raw
To: openbmc
FYI, This change was attempted again this morning. Be on the lookout.
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/18083
-Ed
On 1/18/19 3:51 PM, Tanous, Ed wrote:
> I’d like to draw people’s attention to a patchset for bmcweb here:
>
> https://gerrit.openbmc-project.xyz/#/c/openbmc/bmcweb/+/17390/
>
>
>
> This is updating the bmcweb cipher suites to more secure values, and in
> turn deprecating support for some older framework that we might have as
> clients. As stated in the patch, we are following OWASP “B” cipher
> suite recommendations, although I would like to see us move to “A” in
> the near future. I have tested several browsers, and several OpenSSL
> versions, and they seem to work. I’m bringing attention to this to
> mention that if people see issues in HTTPS in the next week or so, they
> are likely the result of this change, and to report them so we can get
> them resolved. The most likely culprit is going to be out of date
> crypto frameworks (think pyCrypto type) that don’t have support for
> SHA256. If we lose compatibility for anything important, we need to get
> it identified so we can roll back the changes, or get frameworks up to
> date. In most cases, it will give a very unhelpful “Unable to make
> secure connection” or “No shared cipher suites” message, which is pretty
> cryptic if you don’t know what to look for.
>
>
>
> Hopefully this goes off without a hitch, and this email was unnecessary,
> but in the case that I’ve made an error, hopefully this warning will
> save people some time.
>
>
>
> -Ed
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-22 17:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-01-18 23:51 TLS cipher suite changes on master Tanous, Ed
2019-02-22 17:28 ` Ed Tanous
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.