Hi!
This last patch is just a suggestion on how an apache configuration based on the Mozilla suggestion would look like.
It includes a 4096-bit DH parameter that is used instead of the one defined in RFC 5144. Generating the DH parameter has been the suggested approach by the weakdh-team. Of course, as already discussed, this would be the standard parameter for IPFire, then, similar as the already chosen EC curve and similar to the standard parameters defined in RFC 5144.
Best regards, Wolfgang
Hi,
On Thu, 2017-10-26 at 20:34 +0200, Wolfgang Apolinarski wrote:
Hi!
This last patch is just a suggestion on how an apache configuration based on the Mozilla suggestion would look like.
This seems to differ a little bit from what I have seen on here:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Where did you get this from?
It includes a 4096-bit DH parameter that is used instead of the one defined in RFC 5144.
So since they are only suggesting cipher suites that either use ECDHE or no PFS at all there is no need for generating the DH parameter offline. Is that an option that could also work for us?
I do not care to be compatible with Windows XP. If that is the only system from which it is possible to configure your firewall you are doing it wrong.
Generating the DH parameter has been the suggested approach by the weakdh-team. Of course, as already discussed, this would be the standard parameter for IPFire, then, similar as the already chosen EC curve and similar to the standard parameters defined in RFC 5144.
Best, -Michael
P.S. You can send these comments as a cover letter or even put them directly into the commit message. I didn't see the connection in the first place between this email and the patch.
Best regards, Wolfgang
On Sat, 2017-10-28 at 13:45 +0100, Michael Tremer wrote:
Hi,
On Thu, 2017-10-26 at 20:34 +0200, Wolfgang Apolinarski wrote:
Hi!
This last patch is just a suggestion on how an apache configuration based on the Mozilla suggestion would look like.
This seems to differ a little bit from what I have seen on here:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Where did you get this from?
I can answer the question myself... It is the intermediate configuration and you added the DH params.
I would suggest to use modern and then we won't have the DH params problem any more.
Good or bad idea?
It includes a 4096-bit DH parameter that is used instead of the one defined in RFC 5144.
So since they are only suggesting cipher suites that either use ECDHE or no PFS at all there is no need for generating the DH parameter offline. Is that an option that could also work for us?
I do not care to be compatible with Windows XP. If that is the only system from which it is possible to configure your firewall you are doing it wrong.
Generating the DH parameter has been the suggested approach by the weakdh-team. Of course, as already discussed, this would be the standard parameter for IPFire, then, similar as the already chosen EC curve and similar to the standard parameters defined in RFC 5144.
Best, -Michael
P.S. You can send these comments as a cover letter or even put them directly into the commit message. I didn't see the connection in the first place between this email and the patch.
Best regards, Wolfgang
Hello Michael, hello Wolfgang,
On Sat, 2017-10-28 at 13:45 +0100, Michael Tremer wrote:
Hi,
On Thu, 2017-10-26 at 20:34 +0200, Wolfgang Apolinarski wrote:
Hi!
This last patch is just a suggestion on how an apache configuration based on the Mozilla suggestion would look like.
This seems to differ a little bit from what I have seen on here:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Where did you get this from?
I can answer the question myself... It is the intermediate configuration and you added the DH params.
I would suggest to use modern and then we won't have the DH params problem any more.
Good or bad idea?
Basically, I consider this being a good idea.
However, that would mean that we disable support for anything below TLS 1.2 for the WebUI entirely, which might cause trouble on outdated systems. But since nobody really wants these legacy cipher suites with SHA1 and without PFS, moving towards TLS 1.2 only is worth the effort.
But I think it might be a good idea to tell the people about this a while before and not just in the release notes of the next core update. That way, they have some time to check whether they will be affected by this change.
There are also test web services on the internet, i.e. https://mozilla-modern.badssl.com (or https://www.ipfire.org/ itself since it uses the same TLS configuration). If someone behind an IPFire machine is unable to reach this site, he/she/it will experience problems after the update.
Best regards, Peter Müller
It includes a 4096-bit DH parameter that is used instead of the one defined in RFC 5144.
So since they are only suggesting cipher suites that either use ECDHE or no PFS at all there is no need for generating the DH parameter offline. Is that an option that could also work for us?
I do not care to be compatible with Windows XP. If that is the only system from which it is possible to configure your firewall you are doing it wrong.
Generating the DH parameter has been the suggested approach by the weakdh-team. Of course, as already discussed, this would be the standard parameter for IPFire, then, similar as the already chosen EC curve and similar to the standard parameters defined in RFC 5144.
Best, -Michael
P.S. You can send these comments as a cover letter or even put them directly into the commit message. I didn't see the connection in the first place between this email and the patch.
Best regards, Wolfgang
-
Michael Tremer -
Peter Müller -
Wolfgang Apolinarski