disable SSL compression and session tickets in Apache

Ensure that Apache never uses SSL compression, which is vulnerable,
and turn off session tickets since the might cause impact to PFS.

Based against next, supersedes first version.

Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index c9ccd5be5cd13121666524e2cab30b55398a0cb5..dacf6a005f87f0c250bb388d05796011de7ed062 100644 (file)
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -11,6 +11,8 @@
     SSLProtocol all -SSLv2 -SSLv3
     SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
     SSLHonorCipherOrder on
+    SSLCompression off
+    SSLSessionTickets off
     SSLCertificateFile /etc/httpd/server.crt
     SSLCertificateKeyFile /etc/httpd/server.key
     SSLCertificateFile /etc/httpd/server-ecdsa.crt