From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] disable SSL compression and session tickets in Apache Date: Sun, 19 Nov 2017 15:59:54 +0000 Message-ID: <1511107194.4838.520.camel@ipfire.org> In-Reply-To: <20171119145432.2e1ad551.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5210940134722988110==" List-Id: --===============5210940134722988110== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, I guess this is a simple patch that will merge straight away. We can sort out the cipher suites later. -Michael On Sun, 2017-11-19 at 14:54 +0100, Peter M=C3=BCller wrote: > Ensure that Apache never uses SSL compression, which is vulnerable, > and turn off session tickets since the might cause impact to PFS. >=20 > Reported-by: Wolfgang Apolinarski > Signed-off-by: Peter M=C3=BCller > --- > config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++ > 1 file changed, 2 insertions(+) >=20 > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > index d08d3d2bb..53115cfd4 100644 > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > @@ -11,6 +11,8 @@ > SSLProtocol all -SSLv2 -SSLv3 > SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20- > POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDS= A- > AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE- > RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > SSLHonorCipherOrder on > + SSLCompression off > + SSLSessionTickets off > SSLCertificateFile /etc/httpd/server.crt > SSLCertificateKeyFile /etc/httpd/server.key > SSLCertificateFile /etc/httpd/server-ecdsa.crt --===============5210940134722988110== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxvUnFub0FDZ2tRZ0hudy8yK1EKQ1FmQ1pBLy9hUGNmV1FTSjcx QUxiaHYvY1IxRC8wR3I5OExxdHZ1VmJlWmtUMk0rMFRRVFNXR05jbDVZbGswVQp0MkRWSWRwMExN WDQvUXM0VUxCYUxwaFFZQjVxcU1qcThYNTR6WHZ1RHZFa0VTc2NQcS9HWUpaL2RFYUtmd3MwCit5 bTZQKy9aTG5kb1U2V3l0aXI5RnZIVlhPczEya1ZyVTY5eWN3bHRjd2l5VlRpL3g4aUh4ZmZjZFh1 Qno2elcKTjRvOTRJNXpVVHlZM050bnB4YWVoTUxoUFRoRHZobEVUZy84R3d2UFFPeEZDOGhvZzVm Nzg5cWVLUEk2bHdtWAp4SUY3N2NDM0MxZVNqcndrWU1vT1pXRE9MWDZNOW8rdEw5MkpBV1dCU1M4 cDl0cHF3OEJvTTVCeFdhbGkrWFAzClhjMUYzQTc3UHBvZ0czS1J5dXFUUlhmQVdvSzlmeG05ODFo T0RsUjlmWmVXS01mSGtJMTNvaHM0Uy9xMjUzdU8KZ3hCTzFobk9CMmpvdGpRV1RxSVZodmg2ek5x WEZQZVU3ekF5Y3RPaEpFMmRCTXZDOVU1aVZXMEs3UGF2d3pvbQpnM2dLaHQ1QzNpLzlSZU5iRTR1 QnZEdFI4WC9MTVZMZlo5NS9PL0RWa3RtbnM3Nnh3QS80ZG1MM3lMNmcyUzB0CmpIYnY5aXFpRDhJ OE5jK2J5ODAxWGVaUW01TmFmaHFFc1Y3azNwVURaTXd1SWxUbG04ZmRBdHR5RENsQTRneFIKRTFK TEI1R3VYb1JmQ094NjZQVE5ydm1aUTJoWGczbFIzcFRjazJ4Z2dPVVpiT05sMVFaZ3BQUWd5Q1Jq R1A3NgpxZk81N2Y0NG9MWkRMUU5tR2dxT3JPRUg0MWtzZVJkU2tqLzM0UUNuWlZmdWNPOEsrbjA9 Cj1pQ0c4Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============5210940134722988110==--