Added DHE ciphers, updated SSL configuration
Commit Message
- added DHE ciphers that are used when similar ECDHE ciphers are not
available, used the Mozilla SSL Configuration intermediate profile
- deactivated SSLCompression explicitly (off by default)
- deactivated SSLSessionTickets for PFS
- added default DH params with 4096 bits
---
config/httpd/dhparams.pem | 13 +++++++++++++
config/httpd/vhosts.d/ipfire-interface-ssl.conf | 9 ++++++---
2 files changed, 19 insertions(+), 3 deletions(-)
create mode 100644 config/httpd/dhparams.pem
new file mode 100644
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAgyg+WTdpS5cKE9SODv6Xu+89KBEuO9jD+lVaKxFX7J1ZLOVTjeSX
+w9VtXB3ohtXrPAoDVkBlfC1ITemOL6H4OQLkvUVQmdjDD3kzw27V7qUapnJ7P/sV
+0AcCHOfZLNmAqvuaZE7QPtFL1orjFBvUXsH2CKeCw+4AFzUV7E3l4c5xHpCZWXQB
+BLyDzj741gnaG9Jf08O2i0ElczOMjMX3jSAKGIu/TyFJ9QYsYF9R4Cgb3ilgUTLa
+RWnH6GMkA8p/js93AEqgq/K35iwHdxndhwxv6uf9Y9JJx4sr3crY/BpCppWLxVSE
+oBUCDLY6RPntBRvJ8RevyyER1w91wxuIu66WvaSqSUz0QmU4av2GSc+JABge++za
+wbw5bDL1ExdqEqgvVSWXugyqOIe3M5qzTavqFbJ2s9XW137iUvVSgUnyig7t5kqC
+0ROAT4PnsWtPgpFjcR8nL+Chv1aQlNxHxwPwFhZ8GVjwRRPQwUz8DP5/1Vo7D87U
+yUwAmoQEie79nUvm6zeB/rfXGN7lqbyklcuvIX60tWfhw6hoGu5venr810wLSm6K
+eVUrAR4wQEwSLKskQ+QUdKLe9h1GDblL3mEpR0PClBv/90CpmZ39sxWG9kJYJjZk
+LMe5Gc4B3MzBAPwmaDExbXAilMfDwglqqSKQvqo7y3baa5fQgsou2HsCAQI=
+-----END DH PARAMETERS-----
@@ -9,12 +9,15 @@
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
+ SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA384:AES256-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
SSLHonorCipherOrder on
- SSLCertificateFile /etc/httpd/server.crt
- SSLCertificateKeyFile /etc/httpd/server.key
+ SSLCompression off
+ SSLSessionTickets off
SSLCertificateFile /etc/httpd/server-ecdsa.crt
SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
+ SSLCertificateFile /etc/httpd/server.crt
+ SSLCertificateKeyFile /etc/httpd/server.key
+ SSLOpenSSLConfCmd DHParameters /etc/httpd/dhparams.pem
<Directory /srv/web/ipfire/html>
Options ExecCGI