On Sat, 2017-10-28 at 13:45 +0100, Michael Tremer wrote:
> Hi,
> 
> On Thu, 2017-10-26 at 20:34 +0200, Wolfgang Apolinarski wrote:
> > Hi!
> > 
> > This last patch is just a suggestion on how an apache configuration based on the Mozilla suggestion would look like.
> 
> This seems to differ a little bit from what I have seen on here:
> 
>   https://mozilla.github.io/server-side-tls/ssl-config-generator/
> 
> Where did you get this from?

I can answer the question myself... It is the intermediate
configuration and you added the DH params.

I would suggest to use modern and then we won't have the DH params
problem any more.

Good or bad idea?

> 
> > It includes a 4096-bit DH parameter that is used instead of the one defined in RFC 5144.
> 
> So since they are only suggesting cipher suites that either use ECDHE
> or no PFS at all there is no need for generating the DH parameter
> offline. Is that an option that could also work for us?
> 
> I do not care to be compatible with Windows XP. If that is the only
> system from which it is possible to configure your firewall you are
> doing it wrong.
> 
> > Generating the DH parameter has been the suggested approach by the weakdh-team. Of course, as already discussed, this would be the standard parameter for IPFire, then, similar as the already chosen EC curve and similar to the standard parameters defined in RFC 5144.
> 
> Best,
> -Michael
> 
> P.S. You can send these comments as a cover letter or even put them
> directly into the commit message. I didn't see the connection in the
> first place between this email and the patch.
> 
> > 
> > Best regards,
> > Wolfgang