diff mbox series

[v2] disable SSL compression and session tickets in Apache

Message ID 20171119172436.7f830eca.peter.mueller@link38.eu
State Accepted
Commit a57f4a9f5d39069032b0f4e64f90fe4330cb6357
Headers
Series [v2] disable SSL compression and session tickets in Apache |

Commit Message

Peter Müller 20 Nov 2017, 3:24 a.m. UTC 
Ensure that Apache never uses SSL compression, which is vulnerable,
and turn off session tickets since the might cause impact to PFS.

Based against next, supersedes first version.

Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
 1 file changed, 2 insertions(+)

Comments

Michael Tremer 21 Nov 2017, 2:47 a.m. UTC | #1 
Okay, cool. Merged.

Please don't forget to pick up the conversation on cipher suites...

-Michael

On Sun, 2017-11-19 at 17:24 +0100, Peter Müller wrote:
> Ensure that Apache never uses SSL compression, which is vulnerable,
> and turn off session tickets since the might cause impact to PFS.
> 
> Based against next, supersedes first version.
> 
> Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
>  config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index c9ccd5be5..dacf6a005 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -11,6 +11,8 @@
>      SSLProtocol all -SSLv2 -SSLv3
>      SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-
> AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-
> AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-
> AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-
> SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
>      SSLHonorCipherOrder on
> +    SSLCompression off
> +    SSLSessionTickets off
>      SSLCertificateFile /etc/httpd/server.crt
>      SSLCertificateKeyFile /etc/httpd/server.key
>      SSLCertificateFile /etc/httpd/server-ecdsa.crt
diff mbox series

Patch

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index c9ccd5be5..dacf6a005 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -11,6 +11,8 @@ 
     SSLProtocol all -SSLv2 -SSLv3
     SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
     SSLHonorCipherOrder on
+    SSLCompression off
+    SSLSessionTickets off
     SSLCertificateFile /etc/httpd/server.crt
     SSLCertificateKeyFile /etc/httpd/server.key
     SSLCertificateFile /etc/httpd/server-ecdsa.crt