From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wolfgang Apolinarski To: development@lists.ipfire.org Subject: Apache Patches Date: Tue, 03 Oct 2017 15:19:48 +0200 Message-ID: <000b01d33c4a$4aa12e80$dfe38b80$@googlemail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8504626075439178207==" List-Id: --===============8504626075439178207== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi everyone, regarding the latest apache patches (sorry, I will discuss several patches in= one mail): "disable obsolete and unused ciphers in Apache SSL configuration" This looks good to me, but why don't we use a standard configuration, like th= e one that the Mozilla SSL Configuration Generator outputs (or maybe build on= that)? https://mozilla.github.io/server-side-tls/ssl-config-generator/=20 It could make sense to still support DHE parameters, since they provide PFS -= in contrast to the "normal" AES128-GCM-SHA256 parameters. We could pre-gener= ate a 2048 bit DH param and use that, if the user is not re-generating it. Th= is is still a lot better than using the standard Apache DH params. I also dis= covered while searching for standard DH params that there exist other firewal= l distributions that do it exactly this way. "add ECDSA certificate and key files to Apache configuration" I think that if we add "SSLCertificateFile" twice to the configuration, the f= irst one will just be overwritten. So in this case, the server.crt|key are no= t used at all. Another word to the "Require" statements from Apache. As you already noticed,= they are ORed, if they are not in a RequireAll|Any|None block. To make this = behavior transparent, I would suggest to always use the RequireX block and do= n't rely on the default (RequireAny->OR), if possible. This is just a note to= everyone that updates/creates access control within the Apache configuration. Best regards, Wolfgang --===============8504626075439178207==--