From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Apache Patches Date: Wed, 04 Oct 2017 16:49:16 +0100 Message-ID: <1507132156.433.14.camel@ipfire.org> In-Reply-To: <000b01d33c4a$4aa12e80$dfe38b80$@googlemail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1049346419730168008==" List-Id: --===============1049346419730168008== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Tue, 2017-10-03 at 15:19 +0200, Wolfgang Apolinarski wrote: > Hi everyone, >=20 > regarding the latest apache patches (sorry, I will discuss several patches = in > one mail): Yes, this is indeed not a good idea. I do not understand very well what you a= re referring to sometimes. So it would have been better to reply to the original email and quote that part you are referring too. Leads to more emails, but is easier to read. -Michael >=20 > "disable obsolete and unused ciphers in Apache SSL configuration" > This looks good to me, but why don't we use a standard configuration, like = the > one that the Mozilla SSL Configuration Generator outputs (or maybe build on > that)? > https://mozilla.github.io/server-side-tls/ssl-config-generator/=20 >=20 > It could make sense to still support DHE parameters, since they provide PFS= - > in contrast to the "normal" AES128-GCM-SHA256 parameters. We could pre- > generate a 2048 bit DH param and use that, if the user is not re-generating > it. This is still a lot better than using the standard Apache DH params. I > also discovered while searching for standard DH params that there exist oth= er > firewall distributions that do it exactly this way. >=20 > "add ECDSA certificate and key files to Apache configuration" > I think that if we add "SSLCertificateFile" twice to the configuration, the > first one will just be overwritten. So in this case, the server.crt|key are > not used at all. >=20 > Another word to the "Require" statements from Apache. As you already notice= d, > they are ORed, if they are not in a RequireAll|Any|None block. To make this > behavior transparent, I would suggest to always use the RequireX block and > don't rely on the default (RequireAny->OR), if possible. This is just a note > to everyone that updates/creates access control within the Apache > configuration. >=20 > Best regards, > Wolfgang >=20 --===============1049346419730168008== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxuVkF2d0FDZ2tRZ0hudy8yK1EKQ1FkUzl3Ly9WdmRSQ1BjNklz NUtqVVl4eisvVVRwY3U5b09CTjRhT1hweXNDdzRuS3JnbDJORXkwQW5Sc0MvVgo4cXY0Z3NmamQ1 VTlKc2hCY1BSbllDVXVScUtQZmtGUGxvTTQ5ZE5ueWVkRDRFM2lpVWx6dXM3TlRxR0ZHUUVKCjdo OGlPdTVRWXZCOVliSkxCUTExazZiMnJIejVjNTBSOVFyL2JuNjU5cTFJMWMwclJKZDV0VmdmNENs VTZDUW4KSjNtay82d2luRThiVzlBVitUc2RnVEhSVW1rR25lWUlkYzVuNGNXTUFVTWNabnA3SmVl M2IwcGVjZS9PMmF4agptS1F1VnVMYUdTcmluSFBQZmxlREN3VEdZdEVVUGNaK0NIbWY1dFo4M3lv b0dyekF5RWI5UW0wUHR6Tis4QWtDClNhTm1VQ0t4VzVIKzltOW9OdEFIKzFzeno3TkhlQXovK2o3 cmwxaDNSekNOZUlMVjNWdUJxMTRsRlRxZ2tqbCsKK0tIdjlpRzJHY05mZlNiOHdxUTBtNHFkL1pz elJFVnV5SGhudmxKbG1pYzRXSW9Ha3NPMUlKM0NkUi9URzBMQgpOWnBNV0JzQnVKR2RFc0lrQ0w1 eHlXTGk0ZThkbFE2d3NER29SSlZyRlJsaTFMKzFWQitGYkFMNWtINFJrVmpvClFOZjE5Q29FMkhz OGdMOXB3ZERieDBuK21uWVBSbVp3eHZ5RDRiMnAwQ1RSNDVRMmt2ZXcrS2hHZU02Um43bWQKYUdU WFRadFJRZEpjZDRiUk9QbXJsU0o0VloyTmQyRk5tOFgzeUovcTkwMHNQT3Q0a3BJQXhUTzA0N2cx cjhkZwpDU3pCdnlwWGZsTk9PbTQrU0w2QWpPbjJtTWFFUU1pd2xRUDdXdnhuN2p0bUl4clB0eVU9 Cj1na25OCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============1049346419730168008==--