#1644 Installation: allow customization of cipher list before actual installation
Closed: Fixed None Opened 3 years ago by cfu.

Case being a site has customized its cipher lists (sslRangeCiphers) in server.xml throughout all CS instances.
new cipher list being a lot more stringent.

When installing new cs instance, the default ciphers does not overlap with the already-installed servers, including the Security Domain CA, hence making it not able to connect.
Workaround is to loosen the ciphers on the SD CA and possibly others required during installation; however, that is not ideal, as it requires making changes and restarting the affected servers and changing them back later.

It would make better sense to allow admin to customize the cipher list of the to-be-installed instance before the actual installation.

We tried to enable the TLS_ECDHE cipher suite across the board for all components (sslRangeCiphers). The new cipher list just adds cipher suites to enable PFS, it doesn't remove them. However, with this new setting, additional RHCS components fail to install. If we wait until the environment is built, then flip on TLS_ECDHE, the CA is no longer able to communicate with the KRAs.

From IRC conversation of 10/20/2015: 10.3 - minor

Metadata Update from @cfu:
- Issue assigned to edewata
- Issue set to the milestone: 10.3.1

2 years ago

Login to comment on this ticket.