Should Charms disable SSLv3 and RC4?
Bryan Quigley
bryan.quigley at canonical.com
Mon Mar 28 20:33:22 UTC 2016
Hi all,
Right now if you deploy juju-gui or openstack-dashboard (and likely
many more) they will follow the 14.04 default and have SSLv3 and RC4
enabled. In both cases this can make the communication insecure.
1) Should we default SSLv3/RC4 to disabled in charms that we know we can?
For example, last I checked the OpenStack dashboard does not support
IE6, so we don't need SSLv3 support.
2) Should every charm that includes a web server let you override
SSLOptions with a specific option? This is likely to happen again,
and maybe next time we won't be able to just disable them.
Kind regards,
Bryan
Example results
https://www.ssllabs.com/ssltest/analyze.html?d=15.35.213.162.lcy-02.canonistack.canonical.com&hideResults=on
More information about the Juju
mailing list