From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Updated Apache configuration Date: Sat, 28 Oct 2017 13:48:54 +0100 Message-ID: <1509194934.2749.19.camel@ipfire.org> In-Reply-To: <1509194739.2749.17.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4970647393390526778==" List-Id: --===============4970647393390526778== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Sat, 2017-10-28 at 13:45 +0100, Michael Tremer wrote: > Hi, >=20 > On Thu, 2017-10-26 at 20:34 +0200, Wolfgang Apolinarski wrote: > > Hi! > >=20 > > This last patch is just a suggestion on how an apache configuration based= on the Mozilla suggestion would look like. >=20 > This seems to differ a little bit from what I have seen on here: >=20 > https://mozilla.github.io/server-side-tls/ssl-config-generator/ >=20 > Where did you get this from? I can answer the question myself... It is the intermediate configuration and you added the DH params. I would suggest to use modern and then we won't have the DH params problem any more. Good or bad idea? >=20 > > It includes a 4096-bit DH parameter that is used instead of the one defin= ed in RFC 5144. >=20 > So since they are only suggesting cipher suites that either use ECDHE > or no PFS at all there is no need for generating the DH parameter > offline. Is that an option that could also work for us? >=20 > I do not care to be compatible with Windows XP. If that is the only > system from which it is possible to configure your firewall you are > doing it wrong. >=20 > > Generating the DH parameter has been the suggested approach by the weakdh= -team. Of course, as already discussed, this would be the standard parameter = for IPFire, then, similar as the already chosen EC curve and similar to the s= tandard parameters defined in RFC 5144. >=20 > Best, > -Michael >=20 > P.S. You can send these comments as a cover letter or even put them > directly into the commit message. I didn't see the connection in the > first place between this email and the patch. >=20 > >=20 > > Best regards, > > Wolfgang --===============4970647393390526778== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxuMGZMWUFDZ2tRZ0hudy8yK1EKQ1FmVDlRLzlGR3dKRkZ6QVdu dENhV002V05uMGN4ZU1Uc05iNm9YZWpubVU4eDdoYnh6SnFOZVRyNHZQb0NRNgpTQTF3bm11VWM2 N2RHZlVwOUNhaktKVWtNQWlnUGdsMStTdWt6U1FVTnEwZHdDSWtpMUhzVDZvaVUwbWo0a2c1Cndk RHN6M1djdzlWVGw2eURvb3laSGRPb1I0UW5RaFV5MFVYYk5FVmdQcW5oU0ZiTytIS29oeFhlSWhO UjlkV28KUzdRdzdzWHlabi9wVDE5azh5QXcrMGNuTFNTYTBseW84UHhnVU1VMmtJTnlUQ3h1bzNO RkZWektyVmNFdHlmNAorbXFHWkZoQzd3ckJ5Zlhkdk9QckQ2UVBVUjQxaW83eXE5RXdLYzF3ZTVj VTRmblhEY1JteTd4Ti9PM2VrRXhyCjluaFo2M1V5b0ZpLy81OEZ1M2ljMk5kQ1d6UmFOZTE0cTBa TjhSWXhoYWU4NEo2MU4yM1hZNzhBMnpWM05KTEMKNmlvYlU0Y01ReUdzMGFRb3RQS0ZjVnpVR2J3 OWc5am81ZzVxNWtEM0tWVTI0bXc5ZVpBSDA4ZlkxLzhqOWprOApUZlpxUHBIWkhGTmdQdjVjTEJF MzJQbHJFQm1GTkF3SUNRZHc2bWxINDUrU3VNMGoxS0l2WXF6Z0hTeU96ejBGCkN5MmZMZXB2QWx0 Mm9sVUZRSU1ZYmxtcDJMbk1nZnRhYnBXanI5bk01N1d5N2o5V1BHenRvbDJHbCsyQzZRNloKbE1n SCtHeFBRcGZtOGpBenZIRUhnM1ZhVUYwKzhIZFZ3WXIrM21BNS9CK3VtY0lZNS9xQWNialRLTklx Ly9kRApiNlArUzVTN3BVejlVdEFyMFZjVmFLNlEzNVl6SndiZHdNa3JLNDNJWmdmcVFQY3ZxWjQ9 Cj1ybjluCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============4970647393390526778==--