From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH] disable SSL compression and session tickets in Apache
Date: Sun, 19 Nov 2017 14:54:32 +0100
Message-ID: <20171119145432.2e1ad551.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2632352526287940872=="
List-Id: <development.lists.ipfire.org>

--===============2632352526287940872==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Ensure that Apache never uses SSL compression, which is vulnerable,
and turn off session tickets since the might cause impact to PFS.

Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski(a)ipfire.org>
Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
---
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/v=
hosts.d/ipfire-interface-ssl.conf
index d08d3d2bb..53115cfd4 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -11,6 +11,8 @@
     SSLProtocol all -SSLv2 -SSLv3
     SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY13=
05:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128=
-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES=
128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
     SSLHonorCipherOrder on
+    SSLCompression off
+    SSLSessionTickets off
     SSLCertificateFile /etc/httpd/server.crt
     SSLCertificateKeyFile /etc/httpd/server.key
     SSLCertificateFile /etc/httpd/server-ecdsa.crt
--=20
2.13.6

--===============2632352526287940872==--