modsecurity-crs-docker icon indicating copy to clipboard operation
modsecurity-crs-docker copied to clipboard

Published 20 hours ago verified publisher icon coreruleset

Fixing part 7.12 of CIS Apache Benchmark - removing non-forward secrecy ciphers

Open azurit opened this issue 3 months ago • 3 comments

Removing these non-forward secrecy ciphers from Apache configuration:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384

azurit avatar Mar 26 '24 10:03 azurit

Link to CRS wiki with the plan for this:

  • https://github.com/coreruleset/coreruleset/wiki/Hardening%3A-the-Apache-Alpine-Docker-Container-2024#user-content-712-l2-ensure-only-cipher-suites-that-provide-forward-secrecy-are-enabled-automated

dune73 avatar Mar 26 '24 10:03 dune73

Hmm, looks like i picked wrong cyphers - both of these supports forward secrecy. But i can't see those mentioned in CIS benchmark anywhere in the configuration.

azurit avatar Mar 26 '24 11:03 azurit

@azurit @dune73 What's next here? Can you provide an update PR with the updated ciphers?

fzipi avatar Apr 23 '24 11:04 fzipi