* Updated Apache configuration @ 2017-10-26 18:34 Wolfgang Apolinarski 2017-10-28 12:45 ` Michael Tremer 0 siblings, 1 reply; 4+ messages in thread From: Wolfgang Apolinarski @ 2017-10-26 18:34 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 514 bytes --] Hi! This last patch is just a suggestion on how an apache configuration based on the Mozilla suggestion would look like. It includes a 4096-bit DH parameter that is used instead of the one defined in RFC 5144. Generating the DH parameter has been the suggested approach by the weakdh-team. Of course, as already discussed, this would be the standard parameter for IPFire, then, similar as the already chosen EC curve and similar to the standard parameters defined in RFC 5144. Best regards, Wolfgang ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Updated Apache configuration 2017-10-26 18:34 Updated Apache configuration Wolfgang Apolinarski @ 2017-10-28 12:45 ` Michael Tremer 2017-10-28 12:48 ` Michael Tremer 0 siblings, 1 reply; 4+ messages in thread From: Michael Tremer @ 2017-10-28 12:45 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1337 bytes --] Hi, On Thu, 2017-10-26 at 20:34 +0200, Wolfgang Apolinarski wrote: > Hi! > > This last patch is just a suggestion on how an apache configuration based on the Mozilla suggestion would look like. This seems to differ a little bit from what I have seen on here: https://mozilla.github.io/server-side-tls/ssl-config-generator/ Where did you get this from? > It includes a 4096-bit DH parameter that is used instead of the one defined in RFC 5144. So since they are only suggesting cipher suites that either use ECDHE or no PFS at all there is no need for generating the DH parameter offline. Is that an option that could also work for us? I do not care to be compatible with Windows XP. If that is the only system from which it is possible to configure your firewall you are doing it wrong. > Generating the DH parameter has been the suggested approach by the weakdh-team. Of course, as already discussed, this would be the standard parameter for IPFire, then, similar as the already chosen EC curve and similar to the standard parameters defined in RFC 5144. Best, -Michael P.S. You can send these comments as a cover letter or even put them directly into the commit message. I didn't see the connection in the first place between this email and the patch. > > Best regards, > Wolfgang > [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Updated Apache configuration 2017-10-28 12:45 ` Michael Tremer @ 2017-10-28 12:48 ` Michael Tremer 2017-11-07 19:03 ` Peter Müller 0 siblings, 1 reply; 4+ messages in thread From: Michael Tremer @ 2017-10-28 12:48 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1679 bytes --] On Sat, 2017-10-28 at 13:45 +0100, Michael Tremer wrote: > Hi, > > On Thu, 2017-10-26 at 20:34 +0200, Wolfgang Apolinarski wrote: > > Hi! > > > > This last patch is just a suggestion on how an apache configuration based on the Mozilla suggestion would look like. > > This seems to differ a little bit from what I have seen on here: > > https://mozilla.github.io/server-side-tls/ssl-config-generator/ > > Where did you get this from? I can answer the question myself... It is the intermediate configuration and you added the DH params. I would suggest to use modern and then we won't have the DH params problem any more. Good or bad idea? > > > It includes a 4096-bit DH parameter that is used instead of the one defined in RFC 5144. > > So since they are only suggesting cipher suites that either use ECDHE > or no PFS at all there is no need for generating the DH parameter > offline. Is that an option that could also work for us? > > I do not care to be compatible with Windows XP. If that is the only > system from which it is possible to configure your firewall you are > doing it wrong. > > > Generating the DH parameter has been the suggested approach by the weakdh-team. Of course, as already discussed, this would be the standard parameter for IPFire, then, similar as the already chosen EC curve and similar to the standard parameters defined in RFC 5144. > > Best, > -Michael > > P.S. You can send these comments as a cover letter or even put them > directly into the commit message. I didn't see the connection in the > first place between this email and the patch. > > > > > Best regards, > > Wolfgang [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Updated Apache configuration 2017-10-28 12:48 ` Michael Tremer @ 2017-11-07 19:03 ` Peter Müller 0 siblings, 0 replies; 4+ messages in thread From: Peter Müller @ 2017-11-07 19:03 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2713 bytes --] Hello Michael, hello Wolfgang, > On Sat, 2017-10-28 at 13:45 +0100, Michael Tremer wrote: > > Hi, > > > > On Thu, 2017-10-26 at 20:34 +0200, Wolfgang Apolinarski wrote: > > > Hi! > > > > > > This last patch is just a suggestion on how an apache configuration based on the Mozilla suggestion would look like. > > > > This seems to differ a little bit from what I have seen on here: > > > > https://mozilla.github.io/server-side-tls/ssl-config-generator/ > > > > Where did you get this from? > > I can answer the question myself... It is the intermediate > configuration and you added the DH params. > > I would suggest to use modern and then we won't have the DH params > problem any more. > > Good or bad idea? Basically, I consider this being a good idea. However, that would mean that we disable support for anything below TLS 1.2 for the WebUI entirely, which might cause trouble on outdated systems. But since nobody really wants these legacy cipher suites with SHA1 and without PFS, moving towards TLS 1.2 only is worth the effort. But I think it might be a good idea to tell the people about this a while before and not just in the release notes of the next core update. That way, they have some time to check whether they will be affected by this change. There are also test web services on the internet, i.e. https://mozilla-modern.badssl.com (or https://www.ipfire.org/ itself since it uses the same TLS configuration). If someone behind an IPFire machine is unable to reach this site, he/she/it will experience problems after the update. Best regards, Peter Müller > > > > > > It includes a 4096-bit DH parameter that is used instead of the one defined in RFC 5144. > > > > So since they are only suggesting cipher suites that either use ECDHE > > or no PFS at all there is no need for generating the DH parameter > > offline. Is that an option that could also work for us? > > > > I do not care to be compatible with Windows XP. If that is the only > > system from which it is possible to configure your firewall you are > > doing it wrong. > > > > > Generating the DH parameter has been the suggested approach by the weakdh-team. Of course, as already discussed, this would be the standard parameter for IPFire, then, similar as the already chosen EC curve and similar to the standard parameters defined in RFC 5144. > > > > Best, > > -Michael > > > > P.S. You can send these comments as a cover letter or even put them > > directly into the commit message. I didn't see the connection in the > > first place between this email and the patch. > > > > > > > > Best regards, > > > Wolfgang ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-11-07 19:03 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-10-26 18:34 Updated Apache configuration Wolfgang Apolinarski 2017-10-28 12:45 ` Michael Tremer 2017-10-28 12:48 ` Michael Tremer 2017-11-07 19:03 ` Peter Müller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox