From 673ee7b1e8fcdcce197d5099e90f93f316893b8d Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 19 Apr 2011 17:06:00 -0400 Subject: Harden SSL settings a bit. Verified OK with @cmb and @billm --- etc/inc/system.inc | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'etc/inc/system.inc') diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 2e64099..c55a0c0 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1086,6 +1086,11 @@ EOD; $lighty_config .= "## ssl configuration\n"; $lighty_config .= "ssl.engine = \"enable\"\n"; $lighty_config .= "ssl.pemfile = \"{$g['varetc_path']}/{$cert_location}\"\n\n"; + + // Harden SSL a bit for PCI conformance testing + $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; + $lighty_config .= "ssl.cipher-list = \"TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH\"\n"; + if(!(empty($ca) || (strlen(trim($ca)) == 0))) $lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n"; } -- cgit v1.1 From 0b9d02f3677c78be1fe9fd16aedc3eb8f9d5c493 Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 26 Apr 2011 10:18:12 -0400 Subject: Don't just blindly echo to the ntpd.log, it's a clog file and that will break it. --- etc/inc/system.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc/inc/system.inc') diff --git a/etc/inc/system.inc b/etc/inc/system.inc index c55a0c0..e2c02aa 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1201,7 +1201,7 @@ function system_ntp_configure() { exec("/usr/local/sbin/ntpd -s -f {$g['varetc_path']}/ntpd.conf"); // Note that we are starting up - exec("echo 'OpenNTPD is starting up' >> {$g['varlog_path']}/ntpd.log"); + log_error("OpenNTPD is starting up."); } -- cgit v1.1