Re: Updated Apache configuration

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 2713 bytes --]

Hello Michael, hello Wolfgang,

> On Sat, 2017-10-28 at 13:45 +0100, Michael Tremer wrote:
> > Hi,
> > 
> > On Thu, 2017-10-26 at 20:34 +0200, Wolfgang Apolinarski wrote:  
> > > Hi!
> > > 
> > > This last patch is just a suggestion on how an apache configuration based on the Mozilla suggestion would look like.  
> > 
> > This seems to differ a little bit from what I have seen on here:
> > 
> >   https://mozilla.github.io/server-side-tls/ssl-config-generator/
> > 
> > Where did you get this from?  
> 
> I can answer the question myself... It is the intermediate
> configuration and you added the DH params.
> 
> I would suggest to use modern and then we won't have the DH params
> problem any more.
> 
> Good or bad idea?
Basically, I consider this being a good idea.

However, that would mean that we disable support for anything below
TLS 1.2 for the WebUI entirely, which might cause trouble on outdated
systems. But since nobody really wants these legacy cipher suites with
SHA1 and without PFS, moving towards TLS 1.2 only is worth the effort.

But I think it might be a good idea to tell the people about this a
while before and not just in the release notes of the next core update.
That way, they have some time to check whether they will be affected by
this change.

There are also test web services on the internet, i.e. https://mozilla-modern.badssl.com
(or https://www.ipfire.org/ itself since it uses the same TLS configuration).
If someone behind an IPFire machine is unable to reach this site, he/she/it
will experience problems after the update.

Best regards,
Peter Müller
> 
> >   
> > > It includes a 4096-bit DH parameter that is used instead of the one defined in RFC 5144.  
> > 
> > So since they are only suggesting cipher suites that either use ECDHE
> > or no PFS at all there is no need for generating the DH parameter
> > offline. Is that an option that could also work for us?
> > 
> > I do not care to be compatible with Windows XP. If that is the only
> > system from which it is possible to configure your firewall you are
> > doing it wrong.
> >   
> > > Generating the DH parameter has been the suggested approach by the weakdh-team. Of course, as already discussed, this would be the standard parameter for IPFire, then, similar as the already chosen EC curve and similar to the standard parameters defined in RFC 5144.  
> > 
> > Best,
> > -Michael
> > 
> > P.S. You can send these comments as a cover letter or even put them
> > directly into the commit message. I didn't see the connection in the
> > first place between this email and the patch.
> >   
> > > 
> > > Best regards,
> > > Wolfgang