From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Updated Apache configuration Date: Sat, 28 Oct 2017 13:45:39 +0100 Message-ID: <1509194739.2749.17.camel@ipfire.org> In-Reply-To: <004b01d34e89$160a82b0$421f8810$@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5477006481104898936==" List-Id: --===============5477006481104898936== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Thu, 2017-10-26 at 20:34 +0200, Wolfgang Apolinarski wrote: > Hi! >=20 > This last patch is just a suggestion on how an apache configuration based o= n the Mozilla suggestion would look like. This seems to differ a little bit from what I have seen on here: https://mozilla.github.io/server-side-tls/ssl-config-generator/ Where did you get this from? > It includes a 4096-bit DH parameter that is used instead of the one defined= in RFC 5144. So since they are only suggesting cipher suites that either use ECDHE or no PFS at all there is no need for generating the DH parameter offline. Is that an option that could also work for us? I do not care to be compatible with Windows XP. If that is the only system from which it is possible to configure your firewall you are doing it wrong. > Generating the DH parameter has been the suggested approach by the weakdh-t= eam. Of course, as already discussed, this would be the standard parameter fo= r IPFire, then, similar as the already chosen EC curve and similar to the sta= ndard parameters defined in RFC 5144. Best, -Michael P.S. You can send these comments as a cover letter or even put them directly into the commit message. I didn't see the connection in the first place between this email and the patch. >=20 > Best regards, > Wolfgang >=20 --===============5477006481104898936== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxuMGUvTUFDZ2tRZ0hudy8yK1EKQ1FkUGFRLytJQVZuSll3RzRD NW44dVZHbGFoV3RBNTdzQjhsNE1JaERhWHJabTIxczBPdWlTMVpIakFBaUhxUApCdGlSN0V4WXph b3g5TnFoRTJ5VnhqVGd5SWd6QXJ5MDRneWJoYnlFR0xlUm41L04ybWRteE9RT1hvVDVNRmRlCmxw UkxFU2EwNzMzSDZvNC9yUG1KZmhlYUZtTnArYjBPR0s2RnFmVnVEZ0xBS0tMOS8yd1R1N09ReDla MTlDQWwKYXdnM2NjUFBDdWlsLzUxeHgyM2NKMDRnUk9ubFJyMnVpM1NXdGRhalM3dmlUbll5dk5q SVpxOW5sNkpGd085QQpIbTdTL21BRmhQZGVBekFrd1lEaG1UeW5NYmNIcTl0dlc4Ni9HamNKNkgz RGRRMDNvWkRLM0ZDOTRXUWRjRXJvCk5KQU5nclNITERjTEdhaEs4VnlidWZtdHRwNXJCaHlMWU8w akNrV3ZiUlJEZnFkSzdsNmhVSjFKVVI4eTJPc2wKbzY1KzNDRGo2L3QzRnpuU2Via0ZEc3ZVQWMv UStReTJ0WWZqVmpQWk4xMW9DeW5oU3hvTWNJdVNVeHZhN01HUQpPeUo0czB5bjBmaHI1NnBHTXlj c3V4aVErdS9KaDk1eTh0Qk03eVdzbmlzNU1uNDNUWTN5SFJkUXZRVGU1OVFRCllOQkZZa0Y3TlFP S1NHVFVHaG5XRXdwb2VLc0twUzNQNlV0bWJWcFZudTZENVcyeEQ5Z2sydDBGenBaanZOS28KWUk2 NngwL25aeThWcG0xbE9tZUZJRVJlV0NaWENCWWdySW1mVE5FR3llQnhTRCs2WjdFQUFIYlBXQlBp cG9GeAorNEtqZE9Hc1J1VVM4L1dlQUtCeC9WUStFZW1tK2loZDNJZ0g4Y2srbjBFOGNJTHBTUWM9 Cj1xOWd4Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============5477006481104898936==--