On Sat, 2017-10-28 at 13:45 +0100, Michael Tremer wrote:
Hi,
On Thu, 2017-10-26 at 20:34 +0200, Wolfgang Apolinarski wrote:
Hi!
This last patch is just a suggestion on how an apache configuration based on the Mozilla suggestion would look like.
This seems to differ a little bit from what I have seen on here:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Where did you get this from?
I can answer the question myself... It is the intermediate configuration and you added the DH params.
I would suggest to use modern and then we won't have the DH params problem any more.
Good or bad idea?
It includes a 4096-bit DH parameter that is used instead of the one defined in RFC 5144.
So since they are only suggesting cipher suites that either use ECDHE or no PFS at all there is no need for generating the DH parameter offline. Is that an option that could also work for us?
I do not care to be compatible with Windows XP. If that is the only system from which it is possible to configure your firewall you are doing it wrong.
Generating the DH parameter has been the suggested approach by the weakdh-team. Of course, as already discussed, this would be the standard parameter for IPFire, then, similar as the already chosen EC curve and similar to the standard parameters defined in RFC 5144.
Best, -Michael
P.S. You can send these comments as a cover letter or even put them directly into the commit message. I didn't see the connection in the first place between this email and the patch.
Best regards, Wolfgang