From patchwork Mon Nov 20 00:54:32 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1553 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 1A7D060CB6 for ; Sun, 19 Nov 2017 14:54:42 +0100 (CET) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id AC65834AB; Sun, 19 Nov 2017 14:54:41 +0100 (CET) Received: from mx.link38.eu (mx.link38.eu [188.68.43.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 1C3112A0B for ; Sun, 19 Nov 2017 14:54:38 +0100 (CET) X-Virus-Scanned: ClamAV at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id 5951240123 for ; Sun, 19 Nov 2017 14:54:33 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id D0CC89F34D for ; Sun, 19 Nov 2017 14:54:32 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=link38.eu; s=201711; t=1511099672; bh=eBo6foerYDKNeX+X6e5pRh6Eh3uLgDQJPxAfXQASo3o=; h=Date:From:To:Subject:Message-ID:Content-Type:From:To:Subject:Date: Cc; b=IoYHHeWb99k41Z8J4j15/Y/MzOhn5SSVbhaWQE4g6yGUW2v2KqP9kdvj7+E5CqBhu ru0Qazi2EScot8p9JFaM+yKEdbTL0/qsM7tXMXGmi2uk8z0sE/cW9B0sxPwIOKYMY/ ZO+qwgw2B5DdTCGqaXYiqzq75EA/Q2bCOUAJXmh/yvru21WY+aOEI7JPPbMbDRRboB vr+Pvj3DAngsePO2QuNKGrsqSZw+h5MUFBBUak4/tmIn+77S13lwfmfGhm9H8n891O nZk7EJCr3XAwFq8kkoqmgkWwngsmsbKlTJ1bf7nQQ6IV5ZhcPYZYZfEE36xIzWALGR d2c00xqNX4aUw== Date: Sun, 19 Nov 2017 14:54:32 +0100 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH] disable SSL compression and session tickets in Apache Message-ID: <20171119145432.2e1ad551.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Ensure that Apache never uses SSL compression, which is vulnerable, and turn off session tickets since the might cause impact to PFS. Reported-by: Wolfgang Apolinarski Signed-off-by: Peter Müller --- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index d08d3d2bb..53115cfd4 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -11,6 +11,8 @@ SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on + SSLCompression off + SSLSessionTickets off SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key SSLCertificateFile /etc/httpd/server-ecdsa.crt