Hi,

I guess this is a simple patch that will merge straight away.

We can sort out the cipher suites later.

-Michael

On Sun, 2017-11-19 at 14:54 +0100, Peter Müller wrote:
> Ensure that Apache never uses SSL compression, which is vulnerable,
> and turn off session tickets since the might cause impact to PFS.
> 
> Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski(a)ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
>  config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index d08d3d2bb..53115cfd4 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -11,6 +11,8 @@
>      SSLProtocol all -SSLv2 -SSLv3
>      SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-
> POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-
> AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-
> RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
>      SSLHonorCipherOrder on
> +    SSLCompression off
> +    SSLSessionTickets off
>      SSLCertificateFile /etc/httpd/server.crt
>      SSLCertificateKeyFile /etc/httpd/server.key
>      SSLCertificateFile /etc/httpd/server-ecdsa.crt