| Message ID | c9e110e7-4e35-1f1d-c917-f4e709e50a0d@ipfire.org |
|---|---|
| State | Accepted |
| Commit | 4636ed66c6c12c7c17ea05ffaa2242b4b0355990 |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 476M1h3Hmmz43TZ for <patchwork@web04.haj.ipfire.org>; Mon, 4 Nov 2019 18:35:52 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 476M1g3CTJz2f4; Mon, 4 Nov 2019 18:35:51 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 476M1g1WW8z2y66; Mon, 4 Nov 2019 18:35:51 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 476M1d4vS8z2xZd for <development@lists.ipfire.org>; Mon, 4 Nov 2019 18:35:49 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 476M1c5T4jz2RR for <development@lists.ipfire.org>; Mon, 4 Nov 2019 18:35:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1572892549; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=58CLhPc/2FZS2juhqowz0KkL/E0yefN2CFPDRzWEHcY=; b=GRJFEcmt3ehDssjtg+5qFUifK2c2LGk9TzbcY9nTsvgncN8DUw+92EXZXtsvMQBglQHVY/ F9ATl1W4E7XWWYQ/63KN4wDkCD8kNWK+vodSwBWCSkW6V7HdKX5SWa/Xy/Xs9q8+LOOhe2 ndPZS7AA96VMPHKxlQXZzuoj3WZ84JLvpf5JAcHohJRPytYSz5JA4l1Ku9Nn/EO+xzDpUy izlpHLDq3a23HxXt3EVqsFW+hsSw2sRj6o7NLWcn1Zgt+d0jnGAzVFOr/I8uptaq3U74br yDI8u/iK216eJ5Z6lnJUG4/zVKE0VdolFkxdD9Eyf/Wg/nxb1K6076aU41BcJA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1572892549; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=58CLhPc/2FZS2juhqowz0KkL/E0yefN2CFPDRzWEHcY=; b=Dj7PAx5qBkFyKccOFUHHK6li284g04WuTcAbGCrCE0jhXk9a1Vw4C1nmN80UQfq6oVYXtm M7YwDm7Yre4c9wCg== To: "IPFire: Development-List" <development@lists.ipfire.org> From: peter.mueller@ipfire.org Subject: [PATCH] Apache: drop CBC ciphers for WebUI Message-ID: <c9e110e7-4e35-1f1d-c917-f4e709e50a0d@ipfire.org> Date: Mon, 04 Nov 2019 18:35:00 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
Apache: drop CBC ciphers for WebUI
|
|
Commit Message
Peter Müller
Nov. 4, 2019, 6:35 p.m. UTC
CBC ciphers contain some known vulnerabilities and should not be used
anymore. While dropping them for OpenSSL clients or public web servers
still causes interoperability problems with legacy setups, they can
be safely removed from IPFire's administrative UI.
This patch changes the used cipersuite to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
Since TLS 1.3 ciphers will be added automatically by OpenSSL, mentioning
them in "SSLCipherSuite" is unnecessary. ECDSA is preferred over RSA for
performance reasons.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Acked-by: Michael Tremer <michael.tremer@ipfire.org> > On 4 Nov 2019, at 18:35, peter.mueller@ipfire.org wrote: > > CBC ciphers contain some known vulnerabilities and should not be used > anymore. While dropping them for OpenSSL clients or public web servers > still causes interoperability problems with legacy setups, they can > be safely removed from IPFire's administrative UI. > > This patch changes the used cipersuite to: > > TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD > TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD > TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD > ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD > ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD > ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD > ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD > ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD > ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD > > Since TLS 1.3 ciphers will be added automatically by OpenSSL, mentioning > them in "SSLCipherSuite" is unnecessary. ECDSA is preferred over RSA for > performance reasons. > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > index 0166c4920..2009184bb 100644 > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > @@ -11,7 +11,7 @@ > > SSLEngine on > SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 > - SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > + SSLCipherSuite AESGCM+EECDH:CHACHA20+EECDH:@STRENGTH:+aRSA > SSLHonorCipherOrder on > SSLCompression off > SSLSessionTickets off > -- > 2.16.4
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 0166c4920..2009184bb 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -11,7 +11,7 @@ SSLEngine on SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 + SSLCipherSuite AESGCM+EECDH:CHACHA20+EECDH:@STRENGTH:+aRSA SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off