Skip to content
This repository has been archived by the owner on Jul 11, 2020. It is now read-only.

Commit

Permalink
disable dhparam for now
Browse files Browse the repository at this point in the history
dwradcliffe committed Jun 18, 2015
1 parent b4ce422 commit 3025371
Showing 3 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion Berksfile.lock
Original file line number Diff line number Diff line change
@@ -254,7 +254,7 @@ GRAPH
rubygems-backups (0.0.21)
chef-vault (>= 0.0.0)
rubygems-ruby (>= 0.0.0)
rubygems-balancer (0.0.58)
rubygems-balancer (0.0.60)
chef-vault (>= 0.0.0)
datadog (>= 0.0.0)
logrotate (>= 0.0.0)
2 changes: 1 addition & 1 deletion cookbooks/rubygems-balancer/metadata.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name 'rubygems-balancer'

version '0.0.58'
version '0.0.60'

depends 'chef-vault'
depends 'datadog'
Original file line number Diff line number Diff line change
@@ -200,7 +200,7 @@ server {
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_dhparam <%= node['nginx']['dir'] %>/certs/dhparam.pem;
# ssl_dhparam <%= node['nginx']['dir'] %>/certs/dhparam.pem;

# There are bugs in Net::HTTP::Persisent + OpenSSL in 1.8 are uncovered by
# trying to use a session cache. If we switch it off, they go away.

3 comments on commit 3025371

@nateberkopec
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was this disabled? This leaves us vulnerable to Logjam.

@dwradcliffe
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nateberkopec Some clients didn't support it, and caused a big mess when I enabled it. I'd like to try again with a lower size.

@nateberkopec
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, that makes sense. I suppose the entire SSL config basically has to work with whatever crap machine people are using bundle install on, right? Ouch.

Was 2048 not supported? It looks like we can mitigate by at least using a custom 1024-bit.

Please sign in to comment.