From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] change Apache TLS cipher list to "Mozilla Modern" Date: Tue, 07 Nov 2017 23:08:16 +0000 Message-ID: <1510096096.2768.21.camel@ipfire.org> In-Reply-To: <20171107205132.4c8a285a.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4500147856796452289==" List-Id: --===============4500147856796452289== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Actually I proposed that in the discussion to another patch, but Wolfgang said that we would exclude too many systems. Did you see that conversation? -M On Tue, 2017-11-07 at 20:51 +0100, Peter M=C3=BCller wrote: > Change the TLS cipher list of Apache to "Mozilla Modern". >=20 > ECDSA is preferred over RSA to save CPU time on both server > and client. Clients without support for TLS 1.2 and AES will > experience connection failures. >=20 > Signed-off-by: Peter M=C3=BCller > --- > config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd= /vhosts.d/ipfire-interface-ssl.conf > index c9ccd5be5..d08d3d2bb 100644 > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > @@ -9,7 +9,7 @@ > TransferLog /var/log/httpd/access_log > SSLEngine on > SSLProtocol all -SSLv2 -SSLv3 > - SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256= :ECDHE-ECDSA > -AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-E= CDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA= -AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES= 256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM= -SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA > + SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY= 1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES1= 28-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-A= ES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > SSLHonorCipherOrder on > SSLCertificateFile /etc/httpd/server.crt > SSLCertificateKeyFile /etc/httpd/server.key --===============4500147856796452289== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxvQ1BPQUFDZ2tRZ0hudy8yK1EKQ1FjTWRnLytKRGlUUXoreFJF OEVUelI3SkN4VDE4QjVweEdQRDBCS1NabktDZWtwS0tJS28zMndkWWEzMFgwQwptOE9ZTUl6eUk3 UnpSTERIbXdSdzlrWFV6cFNjSzlWUTFQeTUvdlBUSWtNZ05ibStuajhwY0lBRkpjZ0ZPM2phClJt SllOS1pnbnZTUjk0YkNUZG1EczQwZFNTS25BUjhhdGkyNGpQQmNhcWlzUitxL011SXpCeXg1WVlZ c09YTkMKMWlDOXVaNUk5NFpzSGhIdjRFWEdDTm5zOXZvNnZueWJndGtOOFpxNzliV2NyK0JiLzN0 c0lMYnZZSzUvbFN0Vgp4MDFNVHBlaFVyTTc4TmxiaTJXazlkeEJWVklzT1RDV1BvemdabHpBYXBL YmFYbG1pdjBvNlAvUUxqN1FFMXIrCjNXaEljOHpxUVplQ2tMR0tQeGVyeTV3ZlEzTE9ZUkxRbmo2 R3ZUUDRBbkNTTUU3RjVkbW1KQlNQWUZsNmNFeDcKKyt4MmFJMU1NcjZEMW1MU2JvQmxUeFM3c0Vz YTA4SVN5K2Z5MVcvQ00xTnkwU0dvTHpJMmRUZnl4Y25QVUdPZApnYm5JTTgzN1hZbE5jY29wZHpT eWVSYk9waUZQR0ZOWEQrcTBzUHZDUUpneGU1aG9JdjNKOW1nUjVzUERBS2k2Cm5aOW54YVZ6NWVr YU02eE4vRHl4L0FzZkdCQ0hkdkVvK3c1MFVMeis4bnVydnVrQnhyemIwSXpzTzdYTmllWHoKSnRN M2FsK2ViVnlFcWlqQSt5V09hUTN3M0ZXOEZIMjkyYWlSaDJFeUFLd25LdjVkcXlGZ0dzaFYzaVRJ bG41TQpLbC80WDFQTG1lcWNQMkdzNmxxUDNkRWpiVGN0RWNPM2trTUhaYzFJK0ZDNmpBbkJJblE9 Cj1NWWJ5Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============4500147856796452289==--