Hello Foreman Team,
Our customer has some problems with an older Foreman version (1.22). I am listing 3 problems here, maybe you can help us here:
Problem:
- Foreman proxy: Suppression of the Foreman proxy version in error pages and HTTP headers
- Foreman proxy: Deactivation of Secure Client-Initiated Renegotiation
- Foreman proxy: deactivation of cipher suites without forward secrecy**
Expected outcome:
- It is recommended to prevent disclosure of the server version in the HTTP server header with the appropriate server settings.
- Able to deactivate “Secure Client-Initiated Renegotiation”
- In the installed Foreman version 1.22, Ciphers that meet this requirement should be used automatically**
Foreman and Proxy versions: 1.22
Foreman and Proxy plugin versions:
Distribution and version:
Other relevant data:
3. Testing vulnerabilities
...
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
...
Testing all 118 locally available ciphers against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits
------------------------------------------------------------------------
x9d AES256-GCM-SHA384 RSA AESGCM 256
x3d AES256-SHA256 RSA AES 256
x35 AES256-SHA RSA AES 256
x9c AES128-GCM-SHA256 RSA AESGCM 128
x3c AES128-SHA256 RSA AES 128
x2f AES128-SHA RSA AES 128
#####################################################
Thanks and have a great day!