modsecurity-crs-docker
modsecurity-crs-docker copied to clipboard
Fixing part 7.12 of CIS Apache Benchmark - removing non-forward secrecy ciphers
Removing these non-forward secrecy ciphers from Apache configuration:
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
Link to CRS wiki with the plan for this:
- https://github.com/coreruleset/coreruleset/wiki/Hardening%3A-the-Apache-Alpine-Docker-Container-2024#user-content-712-l2-ensure-only-cipher-suites-that-provide-forward-secrecy-are-enabled-automated
Hmm, looks like i picked wrong cyphers - both of these supports forward secrecy. But i can't see those mentioned in CIS benchmark anywhere in the configuration.
@azurit @dune73 What's next here? Can you provide an update PR with the updated ciphers?