change Apache TLS cipher list to "Mozilla Modern"
Commit Message
Change the TLS cipher list of Apache to "Mozilla Modern".
ECDSA is preferred over RSA to save CPU time on both server
and client. Clients without support for TLS 1.2 and AES will
experience connection failures.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Actually I proposed that in the discussion to another patch, but
Wolfgang said that we would exclude too many systems.
Did you see that conversation?
-M
On Tue, 2017-11-07 at 20:51 +0100, Peter Müller wrote:
> Change the TLS cipher list of Apache to "Mozilla Modern".
>
> ECDSA is preferred over RSA to save CPU time on both server
> and client. Clients without support for TLS 1.2 and AES will
> experience connection failures.
>
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
> config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index c9ccd5be5..d08d3d2bb 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -9,7 +9,7 @@
> TransferLog /var/log/httpd/access_log
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> - SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA
> -AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
> + SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
> SSLHonorCipherOrder on
> SSLCertificateFile /etc/httpd/server.crt
> SSLCertificateKeyFile /etc/httpd/server.key
@@ -9,7 +9,7 @@
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
+ SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key