Re: [PATCH] change Apache TLS cipher list to "Mozilla Modern"

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] change Apache TLS cipher list to "Mozilla Modern"
Date: Wed, 08 Nov 2017 22:17:33 +0100	[thread overview]
Message-ID: <006f01d358d6$feb55a60$fc200f20$@ipfire.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 2894 bytes --]

Hi Michael and Peter,

> 
> Actually I proposed that in the discussion to another patch, but
> Wolfgang said that we would exclude too many systems.

I still think that there might be too many clients, which do not have support for TLS 1.2.
I would suggest postponing this step to next year.

Also, for the modern configuration, we should edit the SSLProtocol value:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
This allows anyone to understand that only TLSv1.2+ is supported.

Regarding the re-ordering of the cipher suites:
ECDHE-ECDSA is not always faster than ECDHE-RSA.
It depends on the size of the EC and the RSA key.
Although I'm assuming that a 4096-bit key is quite slow...
I somewhere read that 2048-bit RSA is faster than 256-bit curve.
We are using a 4096-bit RSA together with a 384-bit curve. Did anyone perform some measurements?

> 
> Did you see that conversation?

And I really thought that maybe my mail did not make it through after reading the patch...

Best regards,
Wolfgang

> 
> On Tue, 2017-11-07 at 20:51 +0100, Peter Müller wrote:
> > Change the TLS cipher list of Apache to "Mozilla Modern".
> >
> > ECDSA is preferred over RSA to save CPU time on both server and
> > client. Clients without support for TLS 1.2 and AES will experience
> > connection failures.
> >
> > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > ---
> >  config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > index c9ccd5be5..d08d3d2bb 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > @@ -9,7 +9,7 @@
> >      TransferLog /var/log/httpd/access_log
> >      SSLEngine on
> >      SSLProtocol all -SSLv2 -SSLv3
> > -    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA
> > -AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:EC
> > DHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA2
> > 56:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-S
> > HA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:
> > CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256
> > -SHA
> > +    SSLCipherSuite
> > + ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-EC
> > + DSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-S
> > + HA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-
> > + RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA25
> > + 6
> >      SSLHonorCipherOrder on
> >      SSLCertificateFile /etc/httpd/server.crt
> >      SSLCertificateKeyFile /etc/httpd/server.key

next             reply	other threads:[~2017-11-08 21:17 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-08 21:17 Wolfgang Apolinarski [this message]
2017-11-08 21:44 ` Peter Müller
2017-11-09 21:35   ` AW: " Wolfgang Apolinarski
2017-11-09 23:17     ` Michael Tremer
2017-11-10 11:53       ` Horace Michael
2017-11-11 14:48       ` Paul Simmons
2017-11-11 19:27       ` Peter Müller
2017-11-11 19:48         ` Tom Rymes
2017-11-14 15:28           ` Michael Tremer
2017-11-14 23:53             ` AW: " Wolfgang Apolinarski
2017-11-20 19:12               ` Peter Müller
2017-11-11 19:38       ` AW: " Matthias Fischer
2017-11-11 19:39     ` Peter Müller
  -- strict thread matches above, loose matches on Subject: below --
2017-11-07 19:51 Peter Müller
2017-11-07 23:08 ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='006f01d358d6$feb55a60$fc200f20$@ipfire.org' \
    --to=wolfgang.apolinarski@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox