From mboxrd@z Thu Jan  1 00:00:00 1970
From: peter.mueller@ipfire.org
To: development@lists.ipfire.org
Subject: [PATCH] Apache: drop CBC ciphers for WebUI
Date: Mon, 04 Nov 2019 18:35:00 +0000
Message-ID: <c9e110e7-4e35-1f1d-c917-f4e709e50a0d@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6752147265199420136=="
List-Id: <development.lists.ipfire.org>

--===============6752147265199420136==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

CBC ciphers contain some known vulnerabilities and should not be used
anymore. While dropping them for OpenSSL clients or public web servers
still causes interoperability problems with legacy setups, they can
be safely removed from IPFire's administrative UI.

This patch changes the used cipersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DCHACHA20/P=
OLY1305(256) Mac=3DAEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DAESGCM(256) Mac=
=3DAEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DAESGCM(128) Mac=
=3DAEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM(2=
56) Mac=3DAEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCHACHA20=
/POLY1305(256) Mac=3DAEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM(1=
28) Mac=3DAEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(256)=
 Mac=3DAEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCHACHA20/PO=
LY1305(256) Mac=3DAEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(128)=
 Mac=3DAEAD

Since TLS 1.3 ciphers will be added automatically by OpenSSL, mentioning
them in "SSLCipherSuite" is unnecessary. ECDSA is preferred over RSA for
performance reasons.

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
---
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/v=
hosts.d/ipfire-interface-ssl.conf
index 0166c4920..2009184bb 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -11,7 +11,7 @@
=20
     SSLEngine on
     SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-    SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_A=
ES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384=
:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-G=
CM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-A=
ES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+    SSLCipherSuite AESGCM+EECDH:CHACHA20+EECDH:@STRENGTH:+aRSA
     SSLHonorCipherOrder on
     SSLCompression off
     SSLSessionTickets off
--=20
2.16.4

--===============6752147265199420136==--