This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via f809b8d5c75ebfba1fce53882596356456328826 (commit) via df62774e32cdd33da266432f2dffefb0402c8ccf (commit) from 0aa21ad307979f96d3ea26ae3d86e19fc40f6787 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit f809b8d5c75ebfba1fce53882596356456328826 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri May 17 20:30:13 2019 +0100
core132: Ship updated apache configuration
A reload would be sufficient.
I could not find why apache needs to be restarted.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit df62774e32cdd33da266432f2dffefb0402c8ccf Author: Peter Müller peter.mueller@ipfire.org Date: Wed May 15 17:01:00 2019 +0000
httpd: prefer AES-GCM ciphers over AES-CBC
CBC ciphers are vulnerable to a bunch of attacks (being rather academic so far) such as MAC-then-encrypt or padding oracle.
These seem to be more serious (see https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle... for further readings) which is why they should be used for interoperability purposes only.
I plan to remove AES-CBC ciphers for the WebUI at the end of the year, provided overall security landscape has not changed until that.
This patch changes the WebUI cipherlist to: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
(AES-CBC + ECDSA will be preferred over RSA for performance reasons. As this cipher order cannot be trivially rebuilt with OpenSSL cipher stings, it has to be hard-coded.)
All working clients will stay compatible.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +- config/rootfiles/core/132/filelists/files | 1 + config/rootfiles/core/132/update.sh | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-)
Difference in files: diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index f88a6a52a..0166c4920 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -11,7 +11,7 @@
SSLEngine on SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 + SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off diff --git a/config/rootfiles/core/132/filelists/files b/config/rootfiles/core/132/filelists/files index d63c77e4a..ab3520b40 100644 --- a/config/rootfiles/core/132/filelists/files +++ b/config/rootfiles/core/132/filelists/files @@ -1,6 +1,7 @@ etc/system-release etc/issue etc/mime.types +etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf etc/rc.d/init.d/suricata etc/rc.d/init.d/unbound etc/suricata/suricata.yaml diff --git a/config/rootfiles/core/132/update.sh b/config/rootfiles/core/132/update.sh index 669df6009..94c38b19e 100644 --- a/config/rootfiles/core/132/update.sh +++ b/config/rootfiles/core/132/update.sh @@ -92,7 +92,7 @@ ldconfig /usr/local/bin/update-lang-cache
# Start services -/etc/init.d/apache restart +/etc/init.d/apache reload /etc/init.d/collectd restart /etc/init.d/firewall restart /etc/init.d/unbound restart
hooks/post-receive -- IPFire 2.x development tree