From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH v2] disable SSL compression and session tickets in Apache Date: Mon, 20 Nov 2017 15:47:55 +0000 Message-ID: <1511192875.4838.540.camel@ipfire.org> In-Reply-To: <20171119172436.7f830eca.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8069236440455979451==" List-Id: --===============8069236440455979451== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Okay, cool. Merged. Please don't forget to pick up the conversation on cipher suites... -Michael On Sun, 2017-11-19 at 17:24 +0100, Peter M=C3=BCller wrote: > Ensure that Apache never uses SSL compression, which is vulnerable, > and turn off session tickets since the might cause impact to PFS. >=20 > Based against next, supersedes first version. >=20 > Reported-by: Wolfgang Apolinarski > Signed-off-by: Peter M=C3=BCller > --- > config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++ > 1 file changed, 2 insertions(+) >=20 > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > index c9ccd5be5..dacf6a005 100644 > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > @@ -11,6 +11,8 @@ > SSLProtocol all -SSLv2 -SSLv3 > SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- > SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA- > AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA- > AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA- > AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128- > SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-= SHA > SSLHonorCipherOrder on > + SSLCompression off > + SSLSessionTickets off > SSLCertificateFile /etc/httpd/server.crt > SSLCertificateKeyFile /etc/httpd/server.key > SSLCertificateFile /etc/httpd/server-ecdsa.crt --===============8069236440455979451== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxvUytTc0FDZ2tRZ0hudy8yK1EKQ1FjTExRLy9XM0YxNk9GTW5n V3g3WlUwOEhLc0VIcEs0RVJSTzVQaGNCT1RUZ2s2VS82TUpFYWFjTUc4cEd3dwp2bXZzMlVvUVYz ejhTYXJRdVJublNRa2xKMGZ1OGdpOXJveExxQzFSS3J1enk5NlFoOGRoTHlKMVd3dzlsTElmCnlv OEFMaTZwWmVqY3dCQTdaMmZNRVFNSUZYV3BGMnZEdFU3QTVPT2Rwelo2cTh1eEk1QWFkWDJoQ3Fu VkFJL24KczN3ZTR0d3JBc0FCMURpVmVmQ2ZVcU9jWWo0UXRpYndlenNJTksrRXhUM3lna3JXenNw KzZNZVlMazhCcHk3YQpqbERrcGcrUDdjRHcvWHRHckhGT3FkbFBvQmJIRW92RGlPeDRYdFpSaE82 N25IYWtzbkRuYWl6NzdCaTI3RWdjCjNlOHl3bU01NTBuVWlqb3VLU1J1MVhJZW1IUmZVZkVGQUZr MnFrbnZSRkY2SnhQcDNXR24zK2dNdVhTUmN2OEcKZlRnR2tQZkpUWHlCaW55a2YyTHNCN3VFOEhz MTgzbGswUmV3Wk5RY20vUWo2c2RvTk52cjA3TnJybTBvWFhWaApkeWZHcWN6NWFsZ0s5cVJKQndt VmZ2ejIzS3dFY1l0YnBwSWNuejN1RVp5ZUh2RWZvOFJoaHRwR2RPQS8wOXlTCjBvRFpoQVlQK1BT TjNxb2hJRjZHakwwZUhqSm5HTDVWS1E4TlNMVVZMYjZjK1hVMElOZ0hYYW1odE9URDZDNjIKVTBS UDlmeUJPMDFQcGJhaWtJSlRweXJOQXJWenJ0aEVpLzMrSUovVXNPbjlVYzc1UzJTa1NLWnlUVGVK SnBJMQpITjNjMkdlcDMvbzlVazZyWG9ad0Y3SnBLZGlJS2I4UXdUWVJYY1JNYkllS0ZmZkhDL3c9 Cj1uakVjCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============8069236440455979451==--