From 5878f074541d87ccd2db1f43e23c21452e81126b Mon Sep 17 00:00:00 2001
From: Rhonda D'Vine <rhonda@proxmox.com>
Date: Thu, 11 Oct 2018 12:05:19 +0200
Subject: [PATCH] Update default CIPHERS to a more current list

The default CIPHERS allowed for a fair amount of not really considered
secure anymore connections.  This updated cipher list is taken from
mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
---
 PVE/Service/pveproxy.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index bb60b29e..b286931b 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -106,7 +106,7 @@ sub init {
 	    method => 'any',
 	    sslv2 => 0,
 	    sslv3 => 0,
-	    cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
+	    cipher_list => $proxyconf->{CIPHERS} || 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
 	    key_file => '/etc/pve/local/pve-ssl.key',
 	    cert_file => '/etc/pve/local/pve-ssl.pem',
 	},