Apache Patches

[Wolfgang Apolinarski <wolfgang.apolinarski@googlemail.com>]

[-- Attachment #1: Type: text/plain, Size: 1491 bytes --]

Hi everyone,

regarding the latest apache patches (sorry, I will discuss several patches in one mail):

"disable obsolete and unused ciphers in Apache SSL configuration"
This looks good to me, but why don't we use a standard configuration, like the one that the Mozilla SSL Configuration Generator outputs (or maybe build on that)?
https://mozilla.github.io/server-side-tls/ssl-config-generator/ 

It could make sense to still support DHE parameters, since they provide PFS - in contrast to the "normal" AES128-GCM-SHA256 parameters. We could pre-generate a 2048 bit DH param and use that, if the user is not re-generating it. This is still a lot better than using the standard Apache DH params. I also discovered while searching for standard DH params that there exist other firewall distributions that do it exactly this way.

"add ECDSA certificate and key files to Apache configuration"
I think that if we add "SSLCertificateFile" twice to the configuration, the first one will just be overwritten. So in this case, the server.crt|key are not used at all.

Another word to the "Require" statements from Apache. As you already noticed, they are ORed, if they are not in a RequireAll|Any|None block. To make this behavior transparent, I would suggest to always use the RequireX block and don't rely on the default (RequireAny->OR), if possible. This is just a note to everyone that updates/creates access control within the Apache configuration.

Best regards,
Wolfgang