From a7006325c0bd39cb9f60c77e41cae81893205752 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 15 Oct 2014 22:55:26 +0200
Subject: [PATCH] apache: Disable SSLv3 by default for the IPFire webinterface

---
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 +-
 config/rootfiles/core/85/filelists/files        | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index dc6bb21ed5..daac75742d 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -8,7 +8,7 @@
     ErrorLog /var/log/httpd/error_log
     TransferLog /var/log/httpd/access_log
     SSLEngine on
-    SSLProtocol all -SSLv2
+    SSLProtocol all -SSLv2 -SSLv3
     SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
     SSLHonorCipherOrder on
     SSLCertificateFile /etc/httpd/server.crt
diff --git a/config/rootfiles/core/85/filelists/files b/config/rootfiles/core/85/filelists/files
index 168c7d188b..9cf259c4c1 100644
--- a/config/rootfiles/core/85/filelists/files
+++ b/config/rootfiles/core/85/filelists/files
@@ -1,3 +1,4 @@
 etc/system-release
 etc/issue
+etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf
 var/ipfire/langs
-- 
2.39.5