Update Apache configuration

[th-certbund]

No description provided.

[ignisf]

Hello,

What is the rationale of this change? Why deviate from the cipher string recommended by the authors and used throughout this guide (see section 3.2.3. Recommended cipher suites)?

[krono]

What this does is essentially

1. Disable session tickets
2. Change Cipher
3. add comments related to a mozilla guide.

I think 1. is interesting, and there should be some general discussion in the text about session tickets (and a note for apache in particular.

For 2. this is not a good idea to just change it here in the config file. Rather, for this please engage in a disucssion on the ACH mailing list.

For 3. we maybe need a general disclaimer that, while we understand the merits of the Mozilla cipher generator and such, this is not the place to just dump the results of it…

=-=-=-=-=

@th-certbund You indicated that this was tested with a recent apache on Debian 9.

• Does it also work with an unmodified config file?
• Is the session syntax new to that version?

[th-certbund]

@ignisf:
The old cipher list includes "+SSLv3" while it should be disabled.
CAMELLIA is not supported by web browsers like Firefox.
The list should start with strong/fast ciphers widely supported by web browsers today (like CHACHA20-POLY1305) as highest priority if SSLHonorCipherOrder is used.
etc.

[krono]

@th-certbund That is true per se. Have you looked at Section 3.2.3 "Recommended cipher suites" in the guide? It explains the two cipher combos recommended and why people might want the more compatible "Ciphersuite B".

Note that all examples in the repository use the B variant. It is intended that people opting for the A variant (namely EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3) replace that themselves. Maybe it would be a good Idea to make two toplevel configs with one using the A and one using the B variant. but this is for a new issue i think.

[aaronkaplan]

I believe Thomas just (rightfully so!) started the foundations for the cipher string discussion of the version 2.0 of the better crypto document. :)

…

On 17 Jul 2018, at 15:08, Thomas Hungenberg ***@***.***> wrote: @ignisf: The old cipher list includes "+SSLv3" while it should be disabled. CAMELLIA is not supported by web browsers like Firefox. The list should start with strong/fast ciphers widely supported by web browsers today (like CHACHA20-POLY1305) as highest priority if SSLHonorCipherOrder is used. etc. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[krono]

@aaronkaplan ok, great. This probably means fixing the suites, right?

[krono]

The problem might be that we get a myriad of different suites amongst all the different config files, at which point they don't serve any good purpose anymore :/

[aaronkaplan]

On 17 Jul 2018, at 15:20, Tobias Pape ***@***.***> wrote: @aaronkaplan ok, great. This probably means fixing the suites, right?

correct, we have one place for the definitions of the cipher suites. But, I agree with thomas, that we need to update them. It's way about time...

…

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[martinberg212]

Why is this PR not being merged?
It has been a year since the last comment was made and the current apache config is still very much dated.