From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] disable SSL compression and session tickets in Apache
Date: Sun, 19 Nov 2017 16:04:42 +0000
Message-ID: <1511107482.4838.525.camel@ipfire.org>
In-Reply-To: <1511107194.4838.520.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7139923486323734251=="
List-Id: <development.lists.ipfire.org>

--===============7139923486323734251==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

As I thought this isn't based against next...

On Sun, 2017-11-19 at 15:59 +0000, Michael Tremer wrote:
> Hi,
>=20
> I guess this is a simple patch that will merge straight away.
>=20
> We can sort out the cipher suites later.
>=20
> -Michael
>=20
> On Sun, 2017-11-19 at 14:54 +0100, Peter M=C3=BCller wrote:
> > Ensure that Apache never uses SSL compression, which is vulnerable,
> > and turn off session tickets since the might cause impact to PFS.
> >=20
> > Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski(a)ipfire.org>
> > Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> > ---
> >  config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
> >  1 file changed, 2 insertions(+)
> >=20
> > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > index d08d3d2bb..53115cfd4 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > @@ -11,6 +11,8 @@
> >      SSLProtocol all -SSLv2 -SSLv3
> >      SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-
> > POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-
> > ECDSA-
> > AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECD=
HE-
> > RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
> >      SSLHonorCipherOrder on
> > +    SSLCompression off
> > +    SSLSessionTickets off
> >      SSLCertificateFile /etc/httpd/server.crt
> >      SSLCertificateKeyFile /etc/httpd/server.key
> >      SSLCertificateFile /etc/httpd/server-ecdsa.crt

--===============7139923486323734251==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl
Mnlwa3R4Z0hudy8yK1FDUWNGQWxvUnE1b0FDZ2tRZ0hudy8yK1EKQ1FlSE9nLytPY1RGdFRqMG5R
SXdTeGJlYkxCdVlVL0Y2MWpLWmpWanJKelRhaHV5WHNjVUZYeWUybWJEVFl4Vgo5aGtoSFB3cGNx
emdsbEZyVGlSMWd3a2ZwUWlYUitpc21ibm5XZW5wZmJQZTVzdmxXWTRxSHVBU2xiMTRHRUNICnVa
ZlhvaFA1UFEranRKMDMzNE90Vk1SYytmMW1jVys1NkRMSkxnVitiaXR4cjc5Wm5KdUdCWm51cVRs
aDFDYkYKajFRWVB3UGoxSjI1aGwrY0lwZmYwanpCM20wazV1c0ViWTlXKzNZbG8yYkRjNlAyUDc3
R3dCREJOaVpGTm1tbQpieXJWeDR0SmxlUUJJUXhCU1ZNUWVLZkxwUEtiTDdiN2lydEZWMG5BbEVH
aEUyc3FjMVJadTNDTHByc0d4cFU4CjBrRGlXa1ZUWlRTVXhoeWdFYkdmblQvejErTXFQc3dxMjZp
MTBXRjJRQkpkWk9XbktrWE9kOWEzZUhSWU1jYS8KQjBBLzNZOTZORXIwNnBWSFZESDgrQzlxTWpJ
RzVPNnV4VnNnYTBVaU5NR29HN1hXSC9JRS9pM0VUWFU0eHRNaAorVXFvQWNhRHRreDZVYXdRVWI3
Z0FIeVBqQVN4MFN1bDJaVUFIK2o4aVloOUpmVldPb0dMbXlmVDhXMWJldll1ClhhdGV3azZvUzBa
L2QrYTYza2JZOUZpYUo4QTZHUVJvVE40Z09nNXAzUDU0K1lsME0wb2Q3U0VBdklQR3loSWIKODVK
eHR3aHdEdTJlV0hCTGJkTnE1OG13bUppM1YxQVFQOS8vWi9MS3dFdzNOU21DdmNHQ25qQ21kN2h5
TWZjbApPMXlSVE8wS1c4VGVENlBFblNDSGJlSWo2aC9wN08rZS96TjhtZzFiVXlvOUFGT0hRb3M9
Cj15dnhhCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============7139923486323734251==--