Hi,
On Tue, 2017-10-03 at 15:19 +0200, Wolfgang Apolinarski wrote:
Hi everyone,
regarding the latest apache patches (sorry, I will discuss several patches in one mail):
Yes, this is indeed not a good idea. I do not understand very well what you are referring to sometimes. So it would have been better to reply to the original email and quote that part you are referring too. Leads to more emails, but is easier to read.
-Michael
"disable obsolete and unused ciphers in Apache SSL configuration" This looks good to me, but why don't we use a standard configuration, like the one that the Mozilla SSL Configuration Generator outputs (or maybe build on that)? https://mozilla.github.io/server-side-tls/ssl-config-generator/
It could make sense to still support DHE parameters, since they provide PFS - in contrast to the "normal" AES128-GCM-SHA256 parameters. We could pre- generate a 2048 bit DH param and use that, if the user is not re-generating it. This is still a lot better than using the standard Apache DH params. I also discovered while searching for standard DH params that there exist other firewall distributions that do it exactly this way.
"add ECDSA certificate and key files to Apache configuration" I think that if we add "SSLCertificateFile" twice to the configuration, the first one will just be overwritten. So in this case, the server.crt|key are not used at all.
Another word to the "Require" statements from Apache. As you already noticed, they are ORed, if they are not in a RequireAll|Any|None block. To make this behavior transparent, I would suggest to always use the RequireX block and don't rely on the default (RequireAny->OR), if possible. This is just a note to everyone that updates/creates access control within the Apache configuration.
Best regards, Wolfgang