diff options
author | Renato Botelho <garga@FreeBSD.org> | 2015-03-11 14:03:29 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2015-03-11 14:04:38 -0300 |
commit | 8304fb462a0afebd93546af043ce741096a5ee1b (patch) | |
tree | a7bf7cfae14f1737cdbfe78b93ff113595b92b46 /etc/inc/system.inc | |
parent | 3d50cb09c62cd068ae27c5556616b503f08e279a (diff) | |
download | pfsense-8304fb462a0afebd93546af043ce741096a5ee1b.zip pfsense-8304fb462a0afebd93546af043ce741096a5ee1b.tar.gz |
Remove BEAST protection option since default cipher is now good and works with hifn cards
Diffstat (limited to 'etc/inc/system.inc')
-rw-r--r-- | etc/inc/system.inc | 22 |
1 files changed, 2 insertions, 20 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 710690f..06e7bbe 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1341,28 +1341,10 @@ EOD; $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; $lighty_config .= "ssl.use-sslv3 = \"disable\"\n"; - /* Hifn accelerators do NOT work with the BEAST mitigation code. Do not allow it to be enabled if a Hifn card has been detected. */ - $fd = @fopen("{$g['varlog_path']}/dmesg.boot", "r"); - if ($fd) { - while (!feof($fd)) { - $dmesgl = fgets($fd); - if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) && isset($config['system']['webgui']['beast_protection'])) { - unset($config['system']['webgui']['beast_protection']); - log_error("BEAST Protection disabled because a conflicting cryptographic accelerator card has been detected (" . $matches[1] . ")"); - break; - } - } - fclose($fd); - } - // where ssl.cipher-list is set, this is automatically enabled, but set it explicitly anyway. $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n"; - - if (isset($config['system']['webgui']['beast_protection'])) { - $lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n"; - } else { - $lighty_config .= "ssl.cipher-list = \"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS\"\n"; - } + + $lighty_config .= "ssl.cipher-list = \"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS\"\n"; if(!(empty($ca) || (strlen(trim($ca)) == 0))) $lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n"; |