From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 1/3] prefer ECDSA over RSA and remove clutter Date: Wed, 11 Oct 2017 20:18:33 +0100 Message-ID: <1507749513.2995.11.camel@ipfire.org> In-Reply-To: <20171011192410.091353fb.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1616366175146697552==" List-Id: --===============1616366175146697552== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Yay, finally this worked :) All merged! -Michael On Wed, 2017-10-11 at 19:24 +0200, Peter M=C3=BCller wrote: > Priorize ECDSA before RSA and remove unused cipher suites. > Remove redundant OpenSSL directives to make SSL configuration more readable. >=20 > Signed-off-by: Peter M=C3=BCller > --- > config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd= /vhosts.d/ipfire-interface-ssl.conf > index 816b9e637..995c28e52 100644 > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > @@ -9,7 +9,7 @@ > TransferLog /var/log/httpd/access_log > SSLEngine on > SSLProtocol all -SSLv2 -SSLv3 > - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA2= 56:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-G= CM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE= -ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AE= S256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256= -SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-A= ES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-G= CM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK > + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256= :ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA3= 84:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256= :ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECD= HE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:= AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA > SSLHonorCipherOrder on > SSLCertificateFile /etc/httpd/server.crt > SSLCertificateKeyFile /etc/httpd/server.key --===============1616366175146697552== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxuZWJvb0FDZ2tRZ0hudy8yK1EKQ1FlRU1BLytPc1RUMzkxMHZy K1ZmSHhlUkJmN2FOR2lPLzNHMVA2cDNMZEZWaVF4U3YyT2hGcGxCTzhKWGVJOQpIMmNkSUkwQzhI Vk1qR0dQbzNJV0Q2UWZONVhDZ05JNHhyNTNrNnFqcjdGcnJwRzA2ejhkTjZXM2xTZW1vam5KCndI ZFhkUlhyS0xPZmc4bCtWZWRWWTRicjBmY3BLNTA2MUJSMTdjQUkraCtMRE5CU0JQZGRPYlUzTm5B blRPNEcKODZEcTIyZko5OENiNU5XVWJnbUlMZHhoWGk1Z1hhcTgwbzNXK1VvekFNeVMvRnJYMnV2 VEk4SzZSTU85MEtMegpvWUZnSEV6MGV2SDIrRGY2TVZHeEIrNkdySllaZFhTWTJlTHA3U0prMzdY bWU3VE5qZ2NIK1U5SEVDSnI2dC9FCkk5bExna3JLU2RmSWNZUzhpK1RERENDVGE5TEJyRVB2NGF6 TFAvODNjNzBJWTRwL3lqQmljWTBQMnVxc2FWTisKNzJmdGFOMWg4cTdDZ1l3QUQ3Z0ZoQXJCdUZw Smo0N1QrZmxMRGlDM1A1azBTZmphY21WZ0w2VS9JeitIMEpJTQozQ3kwOXJkb1hlbkdBTEdwTllz Z2FhTEJPVER3R2h5VlQ0NmJDdGJQSDJHSzVQbWdVMGJFYzBBVHFxcllqZld3CkxhMy83Yk5ldW5D S2ZZR1VCcU81ZmxOTE1XU080cW1JQjZIekhmSnF5QUVtNmdYRFdkS05ybVhObTlhTXRUQS8KNzZl aVFsbkhFYWZKVS84RFFrMlFkOW84OWY1djlFVUhDd2tiMUtHc3IyOVlMZEdzc3Y1VVUreDJuVHZ0 SHE4MwpKK1BmSUh3ajZ3bVFZU2lJQVNReDNXTTBOSEFLckdNaUl0OFREemZOK2JXVHU1UThqeVk9 Cj1INTlMCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============1616366175146697552==--