Bug#779333: unblock: pre-approval: haproxy/1.5.8-3

2015-03-11 Thread Vincent Bernat 
Control: tags -1 - moreinfo

 ❦ 11 mars 2015 13:45 +0100, Ivo De Decker iv...@debian.org :

 Would such a change be accepted for Jessie? Not uploaded yet.

 Please go ahead and remove the moreinfo tag from this bug once the upload is
 in unstable.

Done. Thanks!
-- 
Use free-form input when possible.
- The Elements of Programming Style (Kernighan  Plauger)


signature.asc
Description: PGP signature

Bug#779333: unblock: pre-approval: haproxy/1.5.8-3

2015-03-11 Thread Ivo De Decker 
Control: tags -1 confirmed moreinfo

Hi,

On Fri, Feb 27, 2015 at 11:37:40AM +0100, Vincent Bernat wrote:
 Would such a change be accepted for Jessie? Not uploaded yet.

Please go ahead and remove the moreinfo tag from this bug once the upload is
in unstable.

Cheers,

Ivo


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#779333: unblock: pre-approval: haproxy/1.5.8-3

2015-03-05 Thread Vincent Bernat 
 ❦ 27 février 2015 11:37 +0100, Vincent Bernat ber...@debian.org :

 Currently, the configuration file shipped with haproxy comes with a
 cipher list where RC4 is allowed:

  kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

 Since RC4 is almost broken, it seems a good idea to remove it. To keep
 compatibility with older browsers, other ciphers need to be introduced
 (3DES). There are many recommended cipher strings in the wild:

  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  https://wiki.mozilla.org/Security/Server_Side_TLS
  https://github.com/cloudflare/sslconfig/blob/master/conf

 We picked the first one. See the attached debdiff.

 Would such a change be accepted for Jessie? Not uploaded yet.

Hello?
-- 
Watch out for off-by-one errors.
- The Elements of Programming Style (Kernighan  Plauger)


signature.asc
Description: PGP signature

Bug#779333: unblock: pre-approval: haproxy/1.5.8-3

2015-02-27 Thread Vincent Bernat 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hey!

Currently, the configuration file shipped with haproxy comes with a
cipher list where RC4 is allowed:

 kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

Since RC4 is almost broken, it seems a good idea to remove it. To keep
compatibility with older browsers, other ciphers need to be introduced
(3DES). There are many recommended cipher strings in the wild:

 https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 https://wiki.mozilla.org/Security/Server_Side_TLS
 https://github.com/cloudflare/sslconfig/blob/master/conf

We picked the first one. See the attached debdiff.

Would such a change be accepted for Jessie? Not uploaded yet.

unblock haproxy/1.5.8-3

- -- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJU8EjwAAoJEJWkL+g1NSX5CKoP/27SsCHAY66Se/Ym/3P7YzN2
bKi7GCwkeIBwB7mWNKkBtGUZccOm4PNrI0nErht/qEFDK37PF2uJEIaUphoEnr8n
Th7BlAFJ7tiSaozaKAr352O3apfQ82kGDwuDs+UeUIHdUu9l6XsgN7lYtVtx6Lx9
IUhFbChblM8vjoyGKIb9636hDQVdpYDmwPgSU8sEPsS5WAWT5UdhHly/IL9gPEJg
nwg4usReOGsqzDvQZPbYNTNxkNDtA7/UMGsuZNAqNfbZPK+DpkkpgA3QX2NLuL2p
UNDEan0HwZmlXhVbJ3VHJUCs15mDoLIcN7GwORIWD5lYaL9dike30eltV1wb6h9a
TwN+iuuDNBzakrDT/3nUeNdKg/WJSZ/uCxtxvRmR5Oi6/gsLxsMSYS4aJbd5mXGz
gR+UakBkTbyq3i5xt+CGxrYcSgj6YfrxXLqVYj0/vWYBbFyRX/EL9CBlBdUaBhyt
YJPCeGwnzONL6MOlT0a1yZ3taesaxQRl3jhT1NGj73db2+E81TzRKTZ5mMTmtycx
52f1NqscmckGx2dQyM8/VzBXiNv0biA0ZcT7Xu9hRi5RcW4KZYeXVCL4YhwQe5aE
9ggIkeh7P2sSxZ1ja8PR0TBobSbiVFhI48T/YqgvPDVAv46iTnqfWI93WE/tZ117
/17uSAxT3ek7nAg2qzHK
=CXnd
-END PGP SIGNATURE-
diff --git a/debian/changelog b/debian/changelog
index 0b49137269e2..c3e53128d0fd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+haproxy (1.5.8-3) unstable; urgency=medium
+
+  * Remove RC4 from the default cipher string shipped in configuration.
+
+ -- Vincent Bernat ber...@debian.org  Fri, 27 Feb 2015 11:29:23 +0100
+
 haproxy (1.5.8-2) unstable; urgency=medium
 
   * Cherry-pick the following patches from 1.5.9 release:
diff --git a/debian/haproxy.cfg b/debian/haproxy.cfg
index f84a37c9b428..86da67d552d2 100644
--- a/debian/haproxy.cfg
+++ b/debian/haproxy.cfg
@@ -13,9 +13,10 @@ global
 	crt-base /etc/ssl/private
 
 	# Default ciphers to use on SSL-enabled listening sockets.
-	# For more information, see ciphers(1SSL).
-	ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
-ssl-default-bind-options no-sslv3
+	# For more information, see ciphers(1SSL). This list is from:
+	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options no-sslv3
 
 defaults
 	log	global