From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Apache Patches
Date: Wed, 04 Oct 2017 16:49:16 +0100 [thread overview]
Message-ID: <1507132156.433.14.camel@ipfire.org> (raw)
In-Reply-To: <000b01d33c4a$4aa12e80$dfe38b80$@googlemail.com>
[-- Attachment #1: Type: text/plain, Size: 1916 bytes --]
Hi,
On Tue, 2017-10-03 at 15:19 +0200, Wolfgang Apolinarski wrote:
> Hi everyone,
>
> regarding the latest apache patches (sorry, I will discuss several patches in
> one mail):
Yes, this is indeed not a good idea. I do not understand very well what you are
referring to sometimes. So it would have been better to reply to the original
email and quote that part you are referring too. Leads to more emails, but is
easier to read.
-Michael
>
> "disable obsolete and unused ciphers in Apache SSL configuration"
> This looks good to me, but why don't we use a standard configuration, like the
> one that the Mozilla SSL Configuration Generator outputs (or maybe build on
> that)?
> https://mozilla.github.io/server-side-tls/ssl-config-generator/
>
> It could make sense to still support DHE parameters, since they provide PFS -
> in contrast to the "normal" AES128-GCM-SHA256 parameters. We could pre-
> generate a 2048 bit DH param and use that, if the user is not re-generating
> it. This is still a lot better than using the standard Apache DH params. I
> also discovered while searching for standard DH params that there exist other
> firewall distributions that do it exactly this way.
>
> "add ECDSA certificate and key files to Apache configuration"
> I think that if we add "SSLCertificateFile" twice to the configuration, the
> first one will just be overwritten. So in this case, the server.crt|key are
> not used at all.
>
> Another word to the "Require" statements from Apache. As you already noticed,
> they are ORed, if they are not in a RequireAll|Any|None block. To make this
> behavior transparent, I would suggest to always use the RequireX block and
> don't rely on the default (RequireAny->OR), if possible. This is just a note
> to everyone that updates/creates access control within the Apache
> configuration.
>
> Best regards,
> Wolfgang
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-10-04 15:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-03 13:19 Wolfgang Apolinarski
2017-10-04 15:49 ` Michael Tremer [this message]
2017-10-04 19:06 ` Peter Müller
2017-10-04 19:59 ` AW: " Wolfgang Apolinarski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1507132156.433.14.camel@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox