Update ciphers used by stunnel/XAPI

minglumlu · minglumlu · commit 9b9a1f83a71c · 2021-07-02T07:10:53.000Z
For the sake of security, CBC ciphers are required to be removed from
TLS interface of XAPI.

But only one would remain in available cipher list after the removal.
Therefore a new configuration 'ECDHE-RSA-AES128-GCM-SHA25' is added.

Note: IANA name of 'ECDHE-RSA-AES128-GCM-SHA25 is
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'.

Signed-off-by: Ming Lu &lt;ming.lu@citrix.com&gt;
diff --git a/lib/xcp_const.ml b/lib/xcp_const.ml
@@ -1,8 +1,6 @@
 let good_ciphersuites =
   String.concat ":"
     [
-      "ECDHE-RSA-AES256-SHA384"
-    ; "ECDHE-RSA-AES256-GCM-SHA384"
-    ; "AES256-SHA256"
-    ; "AES128-SHA256"
+      "ECDHE-RSA-AES256-GCM-SHA384"
+    ; "ECDHE-RSA-AES128-GCM-SHA256"
     ]

Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,6 @@`
`1`	`1`	`let good_ciphersuites =`
`2`	`2`	`String.concat ":"`
`3`	`3`	`[`
`4`		`- "ECDHE-RSA-AES256-SHA384"`
`5`		`- ; "ECDHE-RSA-AES256-GCM-SHA384"`
`6`		`- ; "AES256-SHA256"`
`7`		`- ; "AES128-SHA256"`
	`4`	`+ "ECDHE-RSA-AES256-GCM-SHA384"`
	`5`	`+ ; "ECDHE-RSA-AES128-GCM-SHA256"`
`8`	`6`	`]`