Fixing part 7.12 of CIS Apache Benchmark - removing non-forward secrecy ciphers

coreruleset / modsecurity-crs-docker

Official ModSecurity Docker + Core Rule Set (CRS) images

https://coreruleset.org

Apache License 2.0

237 stars 62 forks source link

Fixing part 7.12 of CIS Apache Benchmark - removing non-forward secrecy ciphers #220

Open azurit opened 3 months ago

azurit commented 3 months ago

Removing these non-forward secrecy ciphers from Apache configuration:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384

dune73 commented 3 months ago

Link to CRS wiki with the plan for this:

https://github.com/coreruleset/coreruleset/wiki/Hardening%3A-the-Apache-Alpine-Docker-Container-2024#user-content-712-l2-ensure-only-cipher-suites-that-provide-forward-secrecy-are-enabled-automated

azurit commented 3 months ago

Hmm, looks like i picked wrong cyphers - both of these supports forward secrecy. But i can't see those mentioned in CIS benchmark anywhere in the configuration.

fzipi commented 2 months ago

@azurit @dune73 What's next here? Can you provide an update PR with the updated ciphers?