Skip to content

ncm-metaconfig: Update defaults for SSL protocol and ciphersuite #1827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

ncm-metaconfig: Update defaults for SSL protocol and ciphersuite #1827

wants to merge 5 commits into from
+100 −41

Conversation

@gregcorbett
Copy link
Contributor

@gregcorbett gregcorbett commented Jul 10, 2025

New SSL protocol and ciphersuite options have been added, and the defaults for those fields have been refreshed in reference to the latest Mozilla intermediate profile, see https://ssl-config.mozilla.org/

https://ssl-config.mozilla.org/#server=apache&version=2.4.60&config=intermediate&openssl=3.4.0&guideline=5.7

  • Generated 2025-07-10, Mozilla Guideline v5.7, Apache 2.4.60, OpenSSL 3.4.0, intermediate config
  • Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, Safari 9.

Why the change is necessary.
Provide more modern defaults.

What backwards incompatibility it may introduce.
Those using the default options will see a change, for the better i.e. getting bumped from using TLSv1.0 to using TLSv1.2 or TLSv1.3.

@gregcorbett
ncm-metaconfig: Address pre-existing schema indentation issues
79fd795
@gregcorbett
ncm-metaconfig: Add more modern protocol and ciphersuite options
c39e853 
- New SSL options added are in reference to the latest Mozilla
  intermediate profile, see https://ssl-config.mozilla.org
- Generated 2025-07-10, Mozilla Guideline v5.7, Apache 2.4.60,
  OpenSSL 3.4.0, intermediate config:
  https://ssl-config.mozilla.org/#server=apache&version=2.4.60&config=intermediate&openssl=3.4.0&guideline=5.7
- Supports Firefox 27, Android 4.4.2, Chrome 31, Edge,
  IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, Safari 9.
@gregcorbett
ncm-metaconfig: Update defaults for SSL protocol and ciphersuite
6e9fc12 
- based on latest Mozilla intermediate profile,
  see https://ssl-config.mozilla.org
- Generated 2025-07-10, Mozilla Guideline v5.7, Apache 2.4.60,
  OpenSSL 3.4.0, intermediate config:
  https://ssl-config.mozilla.org/#server=apache&version=2.4.60&config=intermediate&openssl=3.4.0&guideline=5.7
- Supports Firefox 27, Android 4.4.2, Chrome 31, Edge,
  IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, Safari 9.
@gregcorbett gregcorbett force-pushed the httpd_schema_default_update branch from 4dd6577 to 6e9fc12 Compare July 10, 2025 12:58
@gregcorbett gregcorbett marked this pull request as ready for review July 10, 2025 13:18
@gregcorbett
Copy link
Contributor Author

gregcorbett commented Jul 10, 2025

It's not clear to me why the tests are failing, happy to take a look at it if I can be given some pointers.

@jrha
Copy link
Member

jrha commented Jul 14, 2025
edited
Loading

Looks like src/test/perl/service-httpd.t has a test in it that checks the defaults and looks for TLSv1, so that'll need updating.

#   Failed test 'Found at least one match (total 0 matches) for test idx 13 (pattern (?^:(?m:^\s{4}sslprotocol TLSv1$)))'
#   at /__w/configuration-modules-core/configuration-modules-core/ncm-metaconfig/target/dependency/build-scripts/Test/Quattor/RegexpTest.pm line 476.
#   Failed test 'Order ok for test idx 13 (pattern (?^:(?m:^\s{4}sslprotocol TLSv1$))) (lastpos 360 before -1)'

@gregcorbett
Copy link
Contributor Author

gregcorbett commented Jul 14, 2025

Thanks for the pointer @jrha, I'll put this back into draft while looking into the tests.

@gregcorbett gregcorbett marked this pull request as draft July 14, 2025 08:46
@gregcorbett gregcorbett force-pushed the httpd_schema_default_update branch from 98b694d to 22d2c73 Compare July 15, 2025 11:01
@gregcorbett gregcorbett force-pushed the httpd_schema_default_update branch from ff19701 to 676a765 Compare July 16, 2025 07:37
@gregcorbett gregcorbett marked this pull request as ready for review July 16, 2025 07:52
@gregcorbett
Copy link
Contributor Author

gregcorbett commented Jul 16, 2025

The tests are now passing 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gregcorbett @jrha