Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-31392

Need a way to disable weak ciphers for Mosquitto in installer level

XMLWordPrintable

    • False
    • sat-rocket
    • None
    • Hide
      Mosquitto will now respect crypto-policies

      Previously Mosquitto (used by REX pull mode) used its own TLS configuration. It now respects the system wide crypto-policies to secure access.
      Show
      Mosquitto will now respect crypto-policies Previously Mosquitto (used by REX pull mode) used its own TLS configuration. It now respects the system wide crypto-policies to secure access.
    • In Progress
    • None

      Description of problem:

      Currently, it doesn't seem to be a way to disable any weak ciphers for Mosquitto broker either in the satellite-installer level or override the variable in custom heira.

      For example, if we wish to disable all CBC ciphers, the only way we can do it is manually add the following setting in "/etc/mosquitto/mosquitto.conf" file.

      ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_GCM_SHA256

      This change will be reverted by the installer every time we run it

       

       

       

              ekohlvan@redhat.com Ewoud Kohl van Wijngaarden
              rhn-support-hyu Hao Chang Yu
              Lukas Pramuk Lukas Pramuk
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: