Bug#779333: marked as done (unblock: pre-approval: haproxy/1.5.8-3)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#779333: marked as done (unblock: pre-approval: haproxy/1.5.8-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 14 Mar 2015 09:45:10 +0000
Message-id: <[🔎] handler.779333.D779333.142632612723447.ackdone@bugs.debian.org>
References: <55040264.80809@thykier.net> <20150227103740.4783.7360.reportbug@zoro.exoscale.ch>

Your message dated Sat, 14 Mar 2015 10:41:56 +0100
with message-id <55040264.80809@thykier.net>
and subject line Re: Bug#779333: unblock: pre-approval: haproxy/1.5.8-3
has caused the Debian Bug report #779333,
regarding unblock: pre-approval: haproxy/1.5.8-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
779333: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779333
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: pre-approval: haproxy/1.5.8-3
From: Vincent Bernat <bernat@debian.org>
Date: Fri, 27 Feb 2015 11:37:40 +0100
Message-id: <20150227103740.4783.7360.reportbug@zoro.exoscale.ch>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey!

Currently, the configuration file shipped with haproxy comes with a
cipher list where RC4 is allowed:

 kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

Since RC4 is almost broken, it seems a good idea to remove it. To keep
compatibility with older browsers, other ciphers need to be introduced
(3DES). There are many recommended cipher strings in the wild:

 https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 https://wiki.mozilla.org/Security/Server_Side_TLS
 https://github.com/cloudflare/sslconfig/blob/master/conf

We picked the first one. See the attached debdiff.

Would such a change be accepted for Jessie? Not uploaded yet.

unblock haproxy/1.5.8-3

- -- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU8EjwAAoJEJWkL+g1NSX5CKoP/27SsCHAY66Se/Ym/3P7YzN2
bKi7GCwkeIBwB7mWNKkBtGUZccOm4PNrI0nErht/qEFDK37PF2uJEIaUphoEnr8n
Th7BlAFJ7tiSaozaKAr352O3apfQ82kGDwuDs+UeUIHdUu9l6XsgN7lYtVtx6Lx9
IUhFbChblM8vjoyGKIb9636hDQVdpYDmwPgSU8sEPsS5WAWT5UdhHly/IL9gPEJg
nwg4usReOGsqzDvQZPbYNTNxkNDtA7/UMGsuZNAqNfbZPK+DpkkpgA3QX2NLuL2p
UNDEan0HwZmlXhVbJ3VHJUCs15mDoLIcN7GwORIWD5lYaL9dike30eltV1wb6h9a
TwN+iuuDNBzakrDT/3nUeNdKg/WJSZ/uCxtxvRmR5Oi6/gsLxsMSYS4aJbd5mXGz
gR+UakBkTbyq3i5xt+CGxrYcSgj6YfrxXLqVYj0/vWYBbFyRX/EL9CBlBdUaBhyt
YJPCeGwnzONL6MOlT0a1yZ3taesaxQRl3jhT1NGj73db2+E81TzRKTZ5mMTmtycx
52f1NqscmckGx2dQyM8/VzBXiNv0biA0ZcT7Xu9hRi5RcW4KZYeXVCL4YhwQe5aE
9ggIkeh7P2sSxZ1ja8PR0TBobSbiVFhI48T/YqgvPDVAv46iTnqfWI93WE/tZ117
/17uSAxT3ek7nAg2qzHK
=CXnd
-----END PGP SIGNATURE-----

diff --git a/debian/changelog b/debian/changelog
index 0b49137269e2..c3e53128d0fd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+haproxy (1.5.8-3) unstable; urgency=medium
+
+  * Remove RC4 from the default cipher string shipped in configuration.
+
+ -- Vincent Bernat <bernat@debian.org>  Fri, 27 Feb 2015 11:29:23 +0100
+
 haproxy (1.5.8-2) unstable; urgency=medium
 
   * Cherry-pick the following patches from 1.5.9 release:
diff --git a/debian/haproxy.cfg b/debian/haproxy.cfg
index f84a37c9b428..86da67d552d2 100644
--- a/debian/haproxy.cfg
+++ b/debian/haproxy.cfg
@@ -13,9 +13,10 @@ global
 	crt-base /etc/ssl/private
 
 	# Default ciphers to use on SSL-enabled listening sockets.
-	# For more information, see ciphers(1SSL).
-	ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
-        ssl-default-bind-options no-sslv3
+	# For more information, see ciphers(1SSL). This list is from:
+	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options no-sslv3
 
 defaults
 	log	global

--- End Message ---

--- Begin Message ---

To: Vincent Bernat <bernat@debian.org>, 779333-done@bugs.debian.org, Ivo De Decker <ivodd@debian.org>

Subject: Re: Bug#779333: unblock: pre-approval: haproxy/1.5.8-3

From: Niels Thykier <niels@thykier.net>

Date: Sat, 14 Mar 2015 10:41:56 +0100

Message-id: <55040264.80809@thykier.net>

In-reply-to: <[🔎] 87sidbwmet.fsf@zoro.exoscale.ch>

References: <20150227103740.4783.7360.reportbug@zoro.exoscale.ch> <[🔎] 20150311124539.GB2198@ugent.be> <[🔎] 87sidbwmet.fsf@zoro.exoscale.ch>
On 2015-03-11 17:04, Vincent Bernat wrote:
> Control: tags -1 - moreinfo
> 
>  ❦ 11 mars 2015 13:45 +0100, Ivo De Decker <ivodd@debian.org> :
> 
>>> Would such a change be accepted for Jessie? Not uploaded yet.
>>
>> Please go ahead and remove the moreinfo tag from this bug once the upload is
>> in unstable.
> 
> Done. Thanks!
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

Prev by Date: Jessie status: Need more RC bug fixes in unstable
Next by Date: Bug#780388: marked as done (RM: trafficserver/5.0.1-1)
Previous by thread: Jessie status: Need more RC bug fixes in unstable
Next by thread: Processed: closing 774222
Index(es):
- Date
- Thread