我们需要禁用在端口 8008 和 9090 上运行的 TLS_RSA_WITH_AES_256_GCM_SHA384。

以下进程分别在端口 8008 和 9090 上运行 -

ruby /usr/bin/smart_proxy_dynflow_core -d -p /var/run/foreman-proxy/smart_proxy_dynflow_core.pid

ruby /usr/share/foreman-proxy/bin/smart-proxy --no-daemonize

以下是/etc/foreman-installer/custom-hiera.yaml的配置文件

领班代理

foreman_proxy::tls_disabled_versions: [ '1.1' ]
foreman_proxy::ssl_disabled_ciphers: ['TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_RC4_128_SHA', 'AES128-SHA256', 'AES256-SHA256', 'AES128-SHA', 'AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_256_GCM_SHA384']

动态流

foreman_proxy::plugin::dynflow::tls_disabled_versions: [ '1.1' ]
foreman_proxy::plugin::dynflow::ssl_disabled_ciphers: ['AES128-SHA256', 'AES256-SHA256', 'AES128-SHA', 'AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_256_GCM_SHA384']

阿帕奇

apache::mod::ssl::ssl_protocol: [ 'ALL' , '-SSLv3' , '-TLSv1' , '-TLSv1.1' , '+TLSv1.2' ]
apache::mod::ssl::ssl_cipher: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Tomcat/烛台

candlepin::tls_versions: [ '1.2' ]

QPID 调度

foreman_proxy_content::qpid_router_ssl_protocols: [ 'TLSv1.2' ]
foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA'

纸浆

pulp::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2"