From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: [PATCH] disable SSL compression and session tickets in Apache
Date: Sun, 19 Nov 2017 17:25:32 +0100
Message-ID: <20171119172532.5e675c50.peter.mueller@link38.eu>
In-Reply-To: <1511107482.4838.525.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4191430112542763423=="
List-Id: <development.lists.ipfire.org>

--===============4191430112542763423==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

sorry, I forgot that. Sent in a second patch...

Best regards,
Peter M=C3=BCller

> As I thought this isn't based against next...
>=20
> On Sun, 2017-11-19 at 15:59 +0000, Michael Tremer wrote:
> > Hi,
> >=20
> > I guess this is a simple patch that will merge straight away.
> >=20
> > We can sort out the cipher suites later.
> >=20
> > -Michael
> >=20
> > On Sun, 2017-11-19 at 14:54 +0100, Peter M=C3=BCller wrote: =20
> > > Ensure that Apache never uses SSL compression, which is vulnerable,
> > > and turn off session tickets since the might cause impact to PFS.
> > >=20
> > > Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski(a)ipfire.org>
> > > Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> > > ---
> > >  config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
> > >  1 file changed, 2 insertions(+)
> > >=20
> > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > index d08d3d2bb..53115cfd4 100644
> > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > @@ -11,6 +11,8 @@
> > >      SSLProtocol all -SSLv2 -SSLv3
> > >      SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-
> > > POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-
> > > ECDSA-
> > > AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:E=
CDHE-
> > > RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
> > >      SSLHonorCipherOrder on
> > > +    SSLCompression off
> > > +    SSLSessionTickets off
> > >      SSLCertificateFile /etc/httpd/server.crt
> > >      SSLCertificateKeyFile /etc/httpd/server.key
> > >      SSLCertificateFile /etc/httpd/server-ecdsa.crt =20


--===============4191430112542763423==--