From patchwork Fri Oct 27 05:29:36 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
X-Patchwork-Id: 1487
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.ipfire.org (Postfix) with ESMTP id AB5BD60D6C
	for <patchwork@ipfire.org>; Thu, 26 Oct 2017 20:29:56 +0200 (CEST)
Received: from mail01.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 321A34D76;
	Thu, 26 Oct 2017 20:29:56 +0200 (CEST)
Received: from gentoo-modula.duisburg.apolinarski.de
	(x4db67e2c.dyn.telefonica.de [77.182.126.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 8836611BB;
	Thu, 26 Oct 2017 20:29:53 +0200 (CEST)
From: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] Added DHE ciphers, updated SSL configuration
Date: Thu, 26 Oct 2017 20:29:36 +0200
Message-Id: <20171026182936.24488-1-wolfgang.apolinarski@ipfire.org>
X-Mailer: git-send-email 2.13.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- added DHE ciphers that are used when similar ECDHE ciphers are not
available, used the Mozilla SSL Configuration intermediate profile
- deactivated SSLCompression explicitly (off by default)
- deactivated SSLSessionTickets for PFS
- added default DH params with 4096 bits
---
 config/httpd/dhparams.pem                       | 13 +++++++++++++
 config/httpd/vhosts.d/ipfire-interface-ssl.conf |  9 ++++++---
 2 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 config/httpd/dhparams.pem

diff --git a/config/httpd/dhparams.pem b/config/httpd/dhparams.pem
new file mode 100644
index 000000000..d81c6eacb
--- /dev/null
+++ b/config/httpd/dhparams.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAgyg+WTdpS5cKE9SODv6Xu+89KBEuO9jD+lVaKxFX7J1ZLOVTjeSX
+w9VtXB3ohtXrPAoDVkBlfC1ITemOL6H4OQLkvUVQmdjDD3kzw27V7qUapnJ7P/sV
+0AcCHOfZLNmAqvuaZE7QPtFL1orjFBvUXsH2CKeCw+4AFzUV7E3l4c5xHpCZWXQB
+BLyDzj741gnaG9Jf08O2i0ElczOMjMX3jSAKGIu/TyFJ9QYsYF9R4Cgb3ilgUTLa
+RWnH6GMkA8p/js93AEqgq/K35iwHdxndhwxv6uf9Y9JJx4sr3crY/BpCppWLxVSE
+oBUCDLY6RPntBRvJ8RevyyER1w91wxuIu66WvaSqSUz0QmU4av2GSc+JABge++za
+wbw5bDL1ExdqEqgvVSWXugyqOIe3M5qzTavqFbJ2s9XW137iUvVSgUnyig7t5kqC
+0ROAT4PnsWtPgpFjcR8nL+Chv1aQlNxHxwPwFhZ8GVjwRRPQwUz8DP5/1Vo7D87U
+yUwAmoQEie79nUvm6zeB/rfXGN7lqbyklcuvIX60tWfhw6hoGu5venr810wLSm6K
+eVUrAR4wQEwSLKskQ+QUdKLe9h1GDblL3mEpR0PClBv/90CpmZ39sxWG9kJYJjZk
+LMe5Gc4B3MzBAPwmaDExbXAilMfDwglqqSKQvqo7y3baa5fQgsou2HsCAQI=
+-----END DH PARAMETERS-----
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index c9ccd5be5..c668b49b3 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -9,12 +9,15 @@
     TransferLog /var/log/httpd/access_log
     SSLEngine on
     SSLProtocol all -SSLv2 -SSLv3
-    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
+    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA384:AES256-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
     SSLHonorCipherOrder on
-    SSLCertificateFile /etc/httpd/server.crt
-    SSLCertificateKeyFile /etc/httpd/server.key
+    SSLCompression off
+    SSLSessionTickets off
     SSLCertificateFile /etc/httpd/server-ecdsa.crt
     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
+    SSLCertificateFile /etc/httpd/server.crt
+    SSLCertificateKeyFile /etc/httpd/server.key
+    SSLOpenSSLConfCmd DHParameters /etc/httpd/dhparams.pem
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI