Added DHE ciphers, updated SSL configuration

Message ID 20171026182936.24488-1-wolfgang.apolinarski@ipfire.org
State Dropped
Headers show
Series Added DHE ciphers, updated SSL configuration | expand

Commit Message

Wolfgang Apolinarski Oct. 27, 2017, 5:29 a.m. UTC
- added DHE ciphers that are used when similar ECDHE ciphers are not
available, used the Mozilla SSL Configuration intermediate profile
- deactivated SSLCompression explicitly (off by default)
- deactivated SSLSessionTickets for PFS
- added default DH params with 4096 bits
---
 config/httpd/dhparams.pem                       | 13 +++++++++++++
 config/httpd/vhosts.d/ipfire-interface-ssl.conf |  9 ++++++---
 2 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 config/httpd/dhparams.pem

Patch

diff --git a/config/httpd/dhparams.pem b/config/httpd/dhparams.pem
new file mode 100644
index 000000000..d81c6eacb
--- /dev/null
+++ b/config/httpd/dhparams.pem
@@ -0,0 +1,13 @@ 
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAgyg+WTdpS5cKE9SODv6Xu+89KBEuO9jD+lVaKxFX7J1ZLOVTjeSX
+w9VtXB3ohtXrPAoDVkBlfC1ITemOL6H4OQLkvUVQmdjDD3kzw27V7qUapnJ7P/sV
+0AcCHOfZLNmAqvuaZE7QPtFL1orjFBvUXsH2CKeCw+4AFzUV7E3l4c5xHpCZWXQB
+BLyDzj741gnaG9Jf08O2i0ElczOMjMX3jSAKGIu/TyFJ9QYsYF9R4Cgb3ilgUTLa
+RWnH6GMkA8p/js93AEqgq/K35iwHdxndhwxv6uf9Y9JJx4sr3crY/BpCppWLxVSE
+oBUCDLY6RPntBRvJ8RevyyER1w91wxuIu66WvaSqSUz0QmU4av2GSc+JABge++za
+wbw5bDL1ExdqEqgvVSWXugyqOIe3M5qzTavqFbJ2s9XW137iUvVSgUnyig7t5kqC
+0ROAT4PnsWtPgpFjcR8nL+Chv1aQlNxHxwPwFhZ8GVjwRRPQwUz8DP5/1Vo7D87U
+yUwAmoQEie79nUvm6zeB/rfXGN7lqbyklcuvIX60tWfhw6hoGu5venr810wLSm6K
+eVUrAR4wQEwSLKskQ+QUdKLe9h1GDblL3mEpR0PClBv/90CpmZ39sxWG9kJYJjZk
+LMe5Gc4B3MzBAPwmaDExbXAilMfDwglqqSKQvqo7y3baa5fQgsou2HsCAQI=
+-----END DH PARAMETERS-----
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index c9ccd5be5..c668b49b3 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -9,12 +9,15 @@ 
     TransferLog /var/log/httpd/access_log
     SSLEngine on
     SSLProtocol all -SSLv2 -SSLv3
-    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
+    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA384:AES256-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
     SSLHonorCipherOrder on
-    SSLCertificateFile /etc/httpd/server.crt
-    SSLCertificateKeyFile /etc/httpd/server.key
+    SSLCompression off
+    SSLSessionTickets off
     SSLCertificateFile /etc/httpd/server-ecdsa.crt
     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
+    SSLCertificateFile /etc/httpd/server.crt
+    SSLCertificateKeyFile /etc/httpd/server.key
+    SSLOpenSSLConfCmd DHParameters /etc/httpd/dhparams.pem
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI