From bc20c2e9a4fdc1b481e6a42af3878c3b44fd8419 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Tue, 11 Jun 2019 13:44:00 -0400 Subject: [PATCH] Do not default ciphers if version set A custom TLS version can conflict with the default ciphers. --- xCAT-server/sbin/xcatd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xCAT-server/sbin/xcatd b/xCAT-server/sbin/xcatd index 36a670862..06d6c4036 100755 --- a/xCAT-server/sbin/xcatd +++ b/xCAT-server/sbin/xcatd @@ -1553,7 +1553,7 @@ until ($quit) { $extrasslargs{SSL_version} = "SSLv23:!SSLv2:!SSLv3:!TLSv1" unless length $extrasslargs{SSL_version}; if ($::XCATSITEVALS{xcatsslciphers}) { $extrasslargs{SSL_cipher_list} = $::XCATSITEVALS{xcatsslciphers}; } - $extrasslargs{SSL_cipher_list} = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384" unless length $extrasslargs{SSL_cipher_list}; + $extrasslargs{SSL_cipher_list} = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384" unless length $extrasslargs{SSL_cipher_list} or length $extrasslargs{SSL_version}; use Data::Dumper; $SIG{ALRM} = sub { $ssltimeout = 1; die; };