Message ID | 20171119145432.2e1ad551.peter.mueller@link38.eu |
---|---|
State | Superseded |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 1A7D060CB6 for <patchwork@ipfire.org>; Sun, 19 Nov 2017 14:54:42 +0100 (CET) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id AC65834AB; Sun, 19 Nov 2017 14:54:41 +0100 (CET) Received: from mx.link38.eu (mx.link38.eu [188.68.43.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 1C3112A0B for <development@lists.ipfire.org>; Sun, 19 Nov 2017 14:54:38 +0100 (CET) X-Virus-Scanned: ClamAV at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id 5951240123 for <development@lists.ipfire.org>; Sun, 19 Nov 2017 14:54:33 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id D0CC89F34D for <development@lists.ipfire.org>; Sun, 19 Nov 2017 14:54:32 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=link38.eu; s=201711; t=1511099672; bh=eBo6foerYDKNeX+X6e5pRh6Eh3uLgDQJPxAfXQASo3o=; h=Date:From:To:Subject:Message-ID:Content-Type:From:To:Subject:Date: Cc; b=IoYHHeWb99k41Z8J4j15/Y/MzOhn5SSVbhaWQE4g6yGUW2v2KqP9kdvj7+E5CqBhu ru0Qazi2EScot8p9JFaM+yKEdbTL0/qsM7tXMXGmi2uk8z0sE/cW9B0sxPwIOKYMY/ ZO+qwgw2B5DdTCGqaXYiqzq75EA/Q2bCOUAJXmh/yvru21WY+aOEI7JPPbMbDRRboB vr+Pvj3DAngsePO2QuNKGrsqSZw+h5MUFBBUak4/tmIn+77S13lwfmfGhm9H8n891O nZk7EJCr3XAwFq8kkoqmgkWwngsmsbKlTJ1bf7nQQ6IV5ZhcPYZYZfEE36xIzWALGR d2c00xqNX4aUw== Date: Sun, 19 Nov 2017 14:54:32 +0100 From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu> To: "development@lists.ipfire.org" <development@lists.ipfire.org> Subject: [PATCH] disable SSL compression and session tickets in Apache Message-ID: <20171119145432.2e1ad551.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
disable SSL compression and session tickets in Apache
|
|
Commit Message
Peter Müller
Nov. 20, 2017, 12:54 a.m. UTC
Ensure that Apache never uses SSL compression, which is vulnerable,
and turn off session tickets since the might cause impact to PFS.
Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
1 file changed, 2 insertions(+)
Comments
Hi, I guess this is a simple patch that will merge straight away. We can sort out the cipher suites later. -Michael On Sun, 2017-11-19 at 14:54 +0100, Peter Müller wrote: > Ensure that Apache never uses SSL compression, which is vulnerable, > and turn off session tickets since the might cause impact to PFS. > > Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org> > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > --- > config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > index d08d3d2bb..53115cfd4 100644 > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > @@ -11,6 +11,8 @@ > SSLProtocol all -SSLv2 -SSLv3 > SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20- > POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA- > AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE- > RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > SSLHonorCipherOrder on > + SSLCompression off > + SSLSessionTickets off > SSLCertificateFile /etc/httpd/server.crt > SSLCertificateKeyFile /etc/httpd/server.key > SSLCertificateFile /etc/httpd/server-ecdsa.crt
As I thought this isn't based against next... On Sun, 2017-11-19 at 15:59 +0000, Michael Tremer wrote: > Hi, > > I guess this is a simple patch that will merge straight away. > > We can sort out the cipher suites later. > > -Michael > > On Sun, 2017-11-19 at 14:54 +0100, Peter Müller wrote: > > Ensure that Apache never uses SSL compression, which is vulnerable, > > and turn off session tickets since the might cause impact to PFS. > > > > Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org> > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > > --- > > config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > index d08d3d2bb..53115cfd4 100644 > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > @@ -11,6 +11,8 @@ > > SSLProtocol all -SSLv2 -SSLv3 > > SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20- > > POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE- > > ECDSA- > > AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE- > > RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > > SSLHonorCipherOrder on > > + SSLCompression off > > + SSLSessionTickets off > > SSLCertificateFile /etc/httpd/server.crt > > SSLCertificateKeyFile /etc/httpd/server.key > > SSLCertificateFile /etc/httpd/server-ecdsa.crt
Hello Michael, sorry, I forgot that. Sent in a second patch... Best regards, Peter Müller > As I thought this isn't based against next... > > On Sun, 2017-11-19 at 15:59 +0000, Michael Tremer wrote: > > Hi, > > > > I guess this is a simple patch that will merge straight away. > > > > We can sort out the cipher suites later. > > > > -Michael > > > > On Sun, 2017-11-19 at 14:54 +0100, Peter Müller wrote: > > > Ensure that Apache never uses SSL compression, which is vulnerable, > > > and turn off session tickets since the might cause impact to PFS. > > > > > > Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org> > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > > > --- > > > config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > index d08d3d2bb..53115cfd4 100644 > > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > @@ -11,6 +11,8 @@ > > > SSLProtocol all -SSLv2 -SSLv3 > > > SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20- > > > POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE- > > > ECDSA- > > > AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE- > > > RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > > > SSLHonorCipherOrder on > > > + SSLCompression off > > > + SSLSessionTickets off > > > SSLCertificateFile /etc/httpd/server.crt > > > SSLCertificateKeyFile /etc/httpd/server.key > > > SSLCertificateFile /etc/httpd/server-ecdsa.crt
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index d08d3d2bb..53115cfd4 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -11,6 +11,8 @@ SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on + SSLCompression off + SSLSessionTickets off SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key SSLCertificateFile /etc/httpd/server-ecdsa.crt