Wir müssen TLS_RSA_WITH_AES_256_GCM_SHA384 deaktivieren, das auf Port 8008 und 9090 läuft.

Die folgenden Prozesse laufen auf den Ports 8008 bzw. 9090 -

ruby /usr/bin/smart_proxy_dynflow_core -d -p /var/run/foreman-proxy/smart_proxy_dynflow_core.pid

ruby /usr/share/foreman-proxy/bin/smart-proxy --no-daemonize

Unten finden Sie die Konfigurationsdatei von /etc/foreman-installer/custom-hiera.yaml

Vorarbeiter-Proxy

foreman_proxy::tls_disabled_versions: [ '1.1' ]
foreman_proxy::ssl_disabled_ciphers: ['TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_RC4_128_SHA', 'AES128-SHA256', 'AES256-SHA256', 'AES128-SHA', 'AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_256_GCM_SHA384']

Dynflow

foreman_proxy::plugin::dynflow::tls_disabled_versions: [ '1.1' ]
foreman_proxy::plugin::dynflow::ssl_disabled_ciphers: ['AES128-SHA256', 'AES256-SHA256', 'AES128-SHA', 'AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_256_GCM_SHA384']

Apache

apache::mod::ssl::ssl_protocol: [ 'ALL' , '-SSLv3' , '-TLSv1' , '-TLSv1.1' , '+TLSv1.2' ]
apache::mod::ssl::ssl_cipher: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Kater / Kerzenleuchter

candlepin::tls_versions: [ '1.2' ]

QPID-Versand

foreman_proxy_content::qpid_router_ssl_protocols: [ 'TLSv1.2' ]
foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA'

ZELLSTOFF

pulp::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2"