Disable weak ciphers for TLS servers
You can disable weak ciphers for TLS servers.
To disable ciphers, append :!<cipher_name> to both
cipher_list and server_cipher_list in the
/etc/cloudera-scm-agent/config.ini file.
The default values of those cipher configurations in the config.ini file
are:
cipher_list=HIGH:!DSS:!DH:!ADH:!DES:!3DES:!SHA1:!aNULL:!eNULL:!EXPORT:!SSLv2:!SSLv3:!TLSv1
server_cipher_list=HIGH:!DSS:!DH:!ADH:!DES:!3DES:!SHA1:!aNULL:!eNULL:!EXPORT:!SSLv2:!SSLv3:!TLSv1:!CAMELLIA
Append the following to each of the values for
cipher_list and
server_cipher_list::!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!AES256-CCM8:!AES256-CCM:!AES128-CCM8:!AES128-CCM:!AES256-SHA256:!AES128-SHA256
