Re: [PATCH] apache: generating unique prime numbers and forbit use of weak DH cipher suites

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: IT Superhack <itsuperhack@web.de>
To: development@lists.ipfire.org
Subject: Re: [PATCH] apache: generating unique prime numbers and forbit use of weak DH cipher suites
Date: Wed, 03 Jun 2015 10:27:33 +0200	[thread overview]
Message-ID: <556EBA75.1040005@web.de> (raw)
In-Reply-To: <1433267218.3370.246.camel@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 2755 bytes --]

Hello Michael,

I tested a bit in the last hours. There were a few issues I discovered
and I had to change my patch.

First, the prime number generation is much slower than I expected - it
took up to 20 minutes on my system. (I guess I had a lucky moment when I
wrote the last mail to you...)
Second, Apache seems to ignore the DH prime numbers. On
https://weakdh.org/sysadmin.html it says that Apache 2.4.8 or newer is
required for the "SSLOpenSSLConfCmd" option.

I have therefore decided to switch DH off, and use ECDHE only, which is
more safe and - by the way - faster than DH. This is not a problem,
because modern browsers support ECDHE, except for some exotic clients
such as Android 2.3.7 and Java Client 6u45.

And yes, you were right: The DES-suites were ignored. Please see the new
cipher list in the patch below. In my opinion, the patch is now ready
for merging, unless you have someting against it.

Signed-off-by: Timmothy Wilson <itsuperhack(a)web.de>
---
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index daac757..a8bbae7 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -9,7 +9,7 @@
     TransferLog /var/log/httpd/access_log
     SSLEngine on
     SSLProtocol all -SSLv2 -SSLv3
-    SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+    SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:CAMELLIA:HIGH:!DH:!LOW:!aNULL:!eNULL:!EXPORT:!3DES:!DES:!RC4:!MD5:!PSK:!aECDH
     SSLHonorCipherOrder on
     SSLCertificateFile /etc/httpd/server.crt
     SSLCertificateKeyFile /etc/httpd/server.key

Sorry for my harsh words in my last mail about pseudonyms and this stuff.

Best regards,
Timmothy Wilson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

next prev parent reply	other threads:[~2015-06-03  8:27 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1433103512.3370.98.camel@ipfire.org>
2015-06-01  7:13 ` IT Superhack
2015-06-01 12:37   ` Michael Tremer
2015-06-02 16:32     ` IT Superhack
2015-06-02 17:46       ` Michael Tremer
2015-06-03  6:53         ` IT Superhack
2015-06-03  8:27         ` IT Superhack [this message]
2015-06-03  8:45           ` Larsen
2015-06-04 16:05           ` Michael Tremer
2015-06-04 19:48             ` IT Superhack
2015-06-05 12:56               ` Michael Tremer
2015-06-05 18:25                 ` IT Superhack
2015-06-06  9:09                   ` Michael Tremer
2015-06-09 18:29                     ` IT Superhack

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=556EBA75.1040005@web.de \
    --to=itsuperhack@web.de \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox