Entuity v19.0 as installed by default is configured to maximize compatibility for the purposes of testing and familiarization.
However, for a production configuration, Entuity strongly recommends that administrators adjust the security settings to remove http access on port 80, and edit the httpd configuration to remove support for TLS1.1 and certain older cipher suites. This can help avoid exposure to known exploits such as SWEET32.
Entuity therefore recommends making the following changes to the file $ENTUITY_HOME/install/template/lib/apache/conf/httpd_eye.conf:
- On line 754, remove +TLSv1.1, so that:
##CONFIGPARSE## SSLProtocol -ALL +TLSv1.1 +TLSv1.2
becomes:##CONFIGPARSE## SSLProtocol -ALL +TLSv1.2
You will also need to make a change to the supported cipher suites, which is also in the file $ENTUITY_HOME/install/template/lib/apache/conf/httpd_eye.conf:
- On line 755, replace the cipher list with the recommended alternative, so that:
##CONFIGPARSE## SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
becomes##CONFIGPARSE## SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Notes:
- After making changes to the template file (as with the above changes), you will need to run configure in order to see these changes in the live file.
- Any changes to these files will be lost upon upgrade. Therefore, after upgrade, you will need to apply the changes to these files again.
- Turning off cipher suites can cause compatibility issues with older browser versions, e.g. Microsoft IE11. As of Entuity v19.0 upwards, the Entuity web UI is certified for use with:
- Microsoft Edge v44.
- Firefox 68 or later.
- Google Chrome 79 or later.
- From Entuity v20.0 upwards, support for TLS 1.0, TLS 1.1, SSLv3 and the following outdated ciphers for TLS 1.2 (RC4-SHA:RC4-MD5:DES-CBC3-SHA) have been removed from the default configuration.
Comments
0 comments
Please sign in to leave a comment.