[v2] disable SSL compression and session tickets in Apache
Commit Message
Ensure that Apache never uses SSL compression, which is vulnerable,
and turn off session tickets since the might cause impact to PFS.
Based against next, supersedes first version.
Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
1 file changed, 2 insertions(+)
Comments
Okay, cool. Merged.
Please don't forget to pick up the conversation on cipher suites...
-Michael
On Sun, 2017-11-19 at 17:24 +0100, Peter Müller wrote:
> Ensure that Apache never uses SSL compression, which is vulnerable,
> and turn off session tickets since the might cause impact to PFS.
>
> Based against next, supersedes first version.
>
> Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
> config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index c9ccd5be5..dacf6a005 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -11,6 +11,8 @@
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-
> AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-
> AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-
> AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-
> SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
> SSLHonorCipherOrder on
> + SSLCompression off
> + SSLSessionTickets off
> SSLCertificateFile /etc/httpd/server.crt
> SSLCertificateKeyFile /etc/httpd/server.key
> SSLCertificateFile /etc/httpd/server-ecdsa.crt
@@ -11,6 +11,8 @@
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
SSLHonorCipherOrder on
+ SSLCompression off
+ SSLSessionTickets off
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLCertificateFile /etc/httpd/server-ecdsa.crt