tyll
commented
8 years ago I also fixed some other issues to make TLS more secure, see https://www.ssllabs.com/ssltest/analyze.html?d=pkgs.rpmfusion.org for issues with the current config.
Closed tyll closed 4 years ago
tyll
commented
8 years ago I also fixed some other issues to make TLS more secure, see https://www.ssllabs.com/ssltest/analyze.html?d=pkgs.rpmfusion.org for issues with the current config.
kwizart
commented
8 years ago Thx for this pull request.
However the certificate support is still handled manually, so I cannot enforce https until there is a ansible role for letsencrypt that will create a service to renew the certificate automatically. To have the whole picture, the same ip address might be used for reverse proxy of others services, so this might have one x509 certificate with several domain name. But one certificate by domain might be a first step.
There is rfpkg dependencies to be tested to fetch the source content from the builder, this need to be working first, before we start improving existing features. Also, upload.cgi still use md5sum in current distgit, sha256 needs to be working...
kwizart
commented
8 years ago I've merged your patches about https, but I've redisigned where the VirtualHost are located. So the others changes will reappear in the apache role in a few. I don't plan to enable HSTS until everything has a little more settled , also my current understanding of server side cipher list as such is that the more expensive cipher are tried first, instead of a balance between strong cipher and enough security (integrity), again I plan to revisit once everything has a little more settled.
Thx for your contribution, and I will be pleased to see more.
Thank you very much for providing proper https for dist git, this is an initial change to make it more prominent.