Ensure that Apache never uses SSL compression, which is vulnerable, and turn off session tickets since the might cause impact to PFS.
Based against next, supersedes first version.
Reported-by: Wolfgang Apolinarski wolfgang.apolinarski@ipfire.org Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index c9ccd5be5..dacf6a005 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -11,6 +11,8 @@ SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA SSLHonorCipherOrder on + SSLCompression off + SSLSessionTickets off SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key SSLCertificateFile /etc/httpd/server-ecdsa.crt
Okay, cool. Merged.
Please don't forget to pick up the conversation on cipher suites...
-Michael
On Sun, 2017-11-19 at 17:24 +0100, Peter Müller wrote:
Ensure that Apache never uses SSL compression, which is vulnerable, and turn off session tickets since the might cause impact to PFS.
Based against next, supersedes first version.
Reported-by: Wolfgang Apolinarski wolfgang.apolinarski@ipfire.org Signed-off-by: Peter Müller peter.mueller@link38.eu
config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index c9ccd5be5..dacf6a005 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -11,6 +11,8 @@ SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128- SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA SSLHonorCipherOrder on
- SSLCompression off
- SSLSessionTickets off SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key SSLCertificateFile /etc/httpd/server-ecdsa.crt
-
Michael Tremer -
Peter Müller