From patchwork Mon Nov 20 03:24:36 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1555 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 4500760B0D for ; Sun, 19 Nov 2017 17:24:48 +0100 (CET) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id BA5A934C4; Sun, 19 Nov 2017 17:24:47 +0100 (CET) Received: from mx.link38.eu (mx.link38.eu [188.68.43.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id D46CE34C4 for ; Sun, 19 Nov 2017 17:24:43 +0100 (CET) X-Virus-Scanned: ClamAV at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id ED5AB40123 for ; Sun, 19 Nov 2017 17:24:37 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 73BFB9F785 for ; Sun, 19 Nov 2017 17:24:37 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=link38.eu; s=201711; t=1511108677; bh=gxR9Jov3444lMRfQKcce+RC/0w1xiUvy53JajZIYtV0=; h=Date:From:To:Subject:Message-ID:Content-Type:From:To:Subject:Date: Cc; b=wJ9m1aeA655h7phIGa7mcYmLvBw7kt/hBATsFWUSI2KyKKhcY6fjLaR+TPxKGNGeI RGyM9CmOWq3Ke3ofaVLDIOlRAFbZ6hHRCQr9scvjptvkYQ+8gbC8eo3Ddsn1/2Bkgx 6bBNa7yLazHiiFWG9t80Z+/60dKpqq+68xMyCAgvLMILa1mDbwwJBETVtnjNrLzHqi Bmcjt4/r07NGOh2l7+rRogR9aWLLtvKSI6XdC8xeROuImfk4++drpj701FzORY00vt WgjewtfYgV4rkHgIKZtccCuJfOZLCKKuANNKSyU/BrO/NVjOW2aJkInvbQYBOH2fjl B/iMprGnX5jeQ== Date: Sun, 19 Nov 2017 17:24:36 +0100 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH v2] disable SSL compression and session tickets in Apache Message-ID: <20171119172436.7f830eca.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Ensure that Apache never uses SSL compression, which is vulnerable, and turn off session tickets since the might cause impact to PFS. Based against next, supersedes first version. Reported-by: Wolfgang Apolinarski Signed-off-by: Peter Müller --- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index c9ccd5be5..dacf6a005 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -11,6 +11,8 @@ SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA SSLHonorCipherOrder on + SSLCompression off + SSLSessionTickets off SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key SSLCertificateFile /etc/httpd/server-ecdsa.crt