[git.ipfire.org] IPFire 2.x development tree branch, next, updated. f809b8d5c75ebfba1fce53882596356456328826

[git.ipfire.org] IPFire 2.x development tree branch, next, updated. f809b8d5c75ebfba1fce53882596356456328826

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 5778 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  f809b8d5c75ebfba1fce53882596356456328826 (commit)
       via  df62774e32cdd33da266432f2dffefb0402c8ccf (commit)
      from  0aa21ad307979f96d3ea26ae3d86e19fc40f6787 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f809b8d5c75ebfba1fce53882596356456328826
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Fri May 17 20:30:13 2019 +0100

    core132: Ship updated apache configuration
    
    A reload would be sufficient.
    
    I could not find why apache needs to be restarted.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

commit df62774e32cdd33da266432f2dffefb0402c8ccf
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date:   Wed May 15 17:01:00 2019 +0000

    httpd: prefer AES-GCM ciphers over AES-CBC
    
    CBC ciphers are vulnerable to a bunch of attacks (being
    rather academic so far) such as MAC-then-encrypt or
    padding oracle.
    
    These seem to be more serious (see
    https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities
    for further readings) which is why they should be used
    for interoperability purposes only.
    
    I plan to remove AES-CBC ciphers for the WebUI at the
    end of the year, provided overall security landscape
    has not changed until that.
    
    This patch changes the WebUI cipherlist to:
    TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
    TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
    ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
    ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
    
    (AES-CBC + ECDSA will be preferred over RSA for performance
    reasons. As this cipher order cannot be trivially rebuilt with
    OpenSSL cipher stings, it has to be hard-coded.)
    
    All working clients will stay compatible.
    
    Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +-
 config/rootfiles/core/132/filelists/files       | 1 +
 config/rootfiles/core/132/update.sh             | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

Difference in files:
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index f88a6a52a..0166c4920 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -11,7 +11,7 @@
 
     SSLEngine on
     SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-    SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+    SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
     SSLHonorCipherOrder on
     SSLCompression off
     SSLSessionTickets off
diff --git a/config/rootfiles/core/132/filelists/files b/config/rootfiles/core/132/filelists/files
index d63c77e4a..ab3520b40 100644
--- a/config/rootfiles/core/132/filelists/files
+++ b/config/rootfiles/core/132/filelists/files
@@ -1,6 +1,7 @@
 etc/system-release
 etc/issue
 etc/mime.types
+etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf
 etc/rc.d/init.d/suricata
 etc/rc.d/init.d/unbound
 etc/suricata/suricata.yaml
diff --git a/config/rootfiles/core/132/update.sh b/config/rootfiles/core/132/update.sh
index 669df6009..94c38b19e 100644
--- a/config/rootfiles/core/132/update.sh
+++ b/config/rootfiles/core/132/update.sh
@@ -92,7 +92,7 @@ ldconfig
 /usr/local/bin/update-lang-cache
 
 # Start services
-/etc/init.d/apache restart
+/etc/init.d/apache reload
 /etc/init.d/collectd restart
 /etc/init.d/firewall restart
 /etc/init.d/unbound restart


hooks/post-receive
--
IPFire 2.x development tree