Hello MAAS folks,
Currently we are using MAAS to help with provisioning our infrastructure, but recently we have became aware that by default MAAS 3.5.2 allows for medium strength cipher suites, which is triggering alerts for our security and compliance teams.
Specifically, it seems that MAAS has support enabled for ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA which seems to be the issue.
Digging around the source code, it seems there’s no way to modify the snap package’s nginx configuration for MAAS as seen at maas/src/maasserver/templates/http/regiond.nginx.conf.template at dbdb317f6a988cfe561432418e642a530e8df825 · canonical/maas · GitHub
I was curious of the following:
- Besides putting HAProxy/Nginx in front of MAAS, is there any other way we could configure/control this?
- Are there plans to make the nginx SSL ciphers customizable in the future with the MAAS snap image?
Thank you for your time.