From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject:
 [PATCH] disable obsolete and unused ciphers in Apache SSL configuration
Date: Mon, 04 Sep 2017 19:34:52 +0200
Message-ID: <20170904193452.485039d4.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4170812949271813597=="
List-Id: <development.lists.ipfire.org>

--===============4170812949271813597==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Perform these modifications to the Apache SSL cipherlist:
- disable unused suites (SRP, DSS, PSK)
- disable DH, DHE and EDH suites (slow and rarely used, vulnerable to LOGJAM)
- prefer ECDSA over RSA
- prefer suites with PFS over those without
- only allow listed cipher suites (makes the list a bit shorter)

This fixes bug #10856.

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
---
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/v=
hosts.d/ipfire-interface-ssl.conf
index 6f353962e..dce40b416 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -9,7 +9,7 @@
     TransferLog /var/log/httpd/access_log
     SSLEngine on
     SSLProtocol all -SSLv2 -SSLv3
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256=
:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM=
-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-E=
CDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES2=
56-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-S=
HA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES=
256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM=
-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:E=
CDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384=
:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:E=
CDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE=
-RSA-AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CA=
MELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
     SSLHonorCipherOrder on
     SSLCertificateFile /etc/httpd/server.crt
     SSLCertificateKeyFile /etc/httpd/server.key

--===============4170812949271813597==--