Set tls_ciphers to PROFILE=SYSTEM, disable SSLv3

See https://fedoraproject.org/wiki/Packaging:CryptoPolicies
2017-03-10 14:24:08 -08:00 · 2017-03-10 14:24:08 -08:00 · cf3b9a55dc
commit cf3b9a55dc
parent e27e31d616
2 changed files with 19 additions and 1 deletions
--- a/xrdp-0.9.1-xrdp-ini.patch
+++ b/xrdp-0.9.1-xrdp-ini.patch
@ -1,6 +1,23 @@
 diff -urN xrdp-0.9.1/xrdp/xrdp.ini xrdp-0.9.1.xrdp-ini/xrdp/xrdp.ini
 --- xrdp-0.9.1/xrdp/xrdp.ini	2016-12-22 09:02:47.000000000 -0800
-+++ xrdp-0.9.1.xrdp-ini/xrdp/xrdp.ini	2017-03-09 15:47:04.828968234 -0800
+++ xrdp-0.9.1.xrdp-ini/xrdp/xrdp.ini	2017-03-10 14:22:32.547073051 -0800
+@@ -23,12 +23,12 @@
+ crypt_level=high
+ ; X.509 certificate and private key
+ ; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
+-certificate=
+-key_file=
+certificate=/etc/xrdp/cert.pem
+key_file=/etc/xrdp/key.pem
+ ; specify whether SSLv3 should be disabled
+-#disableSSLv3=true
+disableSSLv3=true
+ ; set TLS cipher suites
+-#tls_ciphers=HIGH
+tls_ciphers=PROFILE=SYSTEM
+ 
+ ; Section name to use for automatic login if the client sends username
+ ; and password. If empty, the domain name sent by the client is used.
@@ -147,16 +147,6 @@
 ; Session types
 ;
--- a/xrdp.spec
+++ b/xrdp.spec
@ -189,6 +189,7 @@ systemctl try-restart xrdp.service >/dev/null 2>&1 || :
 - Require /etc/X11/xinit/Xsession, it's called from startwm.sh
 - Call xrdp-keygen with full path in %posttrans
 - Exclude *.so files for non-modules
+- Set tls_ciphers to PROFILE=SYSTEM, disable SSLv3

 * Thu Mar 09 2017 Pavel Roskin <plroskin@gmail.com> - 1:0.9.1-6
 - Make xrdp depend on xorgxrdp, not on tigervnc-server-minimal