b***@apache.org
2015-06-01 16:17:30 UTC
https://bz.apache.org/bugzilla/show_bug.cgi?id=57984
Bug ID: 57984
Summary: Patch to add user-specified Diffie-Hellman parameters
to Apache 2.2.29
Product: Apache httpd-2
Version: 2.2.29
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: ***@httpd.apache.org
Reporter: ***@minaret.biz
Created attachment 32770
--> https://bz.apache.org/bugzilla/attachment.cgi?id=32770&action=edit
Patch to add user-specified Diffie-Hellman parameters to Apache 2.2.29
For those users who must continue to use Apache 2.2 (we mod_perl people do not
have a version that works with Apache 2.4), I have applied the patch from bug
report 49559 to version 2.2.29 of Apache. The patch adds support for
user-specified Diffie-Hellman parameters. This allows the use of 2048 bit user
generated DH groups, which in turn improves the security of the SSL connection
and makes it possible to earn a letter "A" grade from Entrust
(entrust.ssllabs.com) and helps to secure against the Logjam attack.
I am using the patch in an Apache 2.2.29 production environment and it works
perfectly. An updated patch (against 2.2.29 instead of 2.2.14) is attached to
this report.
In addition to installing the patch, admins must perform the following steps:
1) Run "openssl dhparam -out dhparams.pem 2048" and copy the resulting
"dhparams.pem" file to a private certificates directory of their server with as
restrictive permissions as possible (i.e. read-only root).
2) Add the following line to the SSL section of your Apache configuration:
SSLDHParametersFile "/PATH/TO/YOUR/CERTIFICATE/FILES/dhparams.pem"
Additional Apache configuration tips to protect against Logjam can be found at
many sites on the Internet, including "weakdh.org/sysadmin.html".
Many thanks to Erwann Abalea for the original patch. Remarkably, it was
submitted in 2010.
I hope this patch can be incorporated into the Apache 2.2 production stream for
the benefit of all admins who cannot, for whatever reason, move to Apache 2.4
yet.
Best,
Geoff
Bug ID: 57984
Summary: Patch to add user-specified Diffie-Hellman parameters
to Apache 2.2.29
Product: Apache httpd-2
Version: 2.2.29
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: ***@httpd.apache.org
Reporter: ***@minaret.biz
Created attachment 32770
--> https://bz.apache.org/bugzilla/attachment.cgi?id=32770&action=edit
Patch to add user-specified Diffie-Hellman parameters to Apache 2.2.29
For those users who must continue to use Apache 2.2 (we mod_perl people do not
have a version that works with Apache 2.4), I have applied the patch from bug
report 49559 to version 2.2.29 of Apache. The patch adds support for
user-specified Diffie-Hellman parameters. This allows the use of 2048 bit user
generated DH groups, which in turn improves the security of the SSL connection
and makes it possible to earn a letter "A" grade from Entrust
(entrust.ssllabs.com) and helps to secure against the Logjam attack.
I am using the patch in an Apache 2.2.29 production environment and it works
perfectly. An updated patch (against 2.2.29 instead of 2.2.14) is attached to
this report.
In addition to installing the patch, admins must perform the following steps:
1) Run "openssl dhparam -out dhparams.pem 2048" and copy the resulting
"dhparams.pem" file to a private certificates directory of their server with as
restrictive permissions as possible (i.e. read-only root).
2) Add the following line to the SSL section of your Apache configuration:
SSLDHParametersFile "/PATH/TO/YOUR/CERTIFICATE/FILES/dhparams.pem"
Additional Apache configuration tips to protect against Logjam can be found at
many sites on the Internet, including "weakdh.org/sysadmin.html".
Many thanks to Erwann Abalea for the original patch. Remarkably, it was
submitted in 2010.
I hope this patch can be incorporated into the Apache 2.2 production stream for
the benefit of all admins who cannot, for whatever reason, move to Apache 2.4
yet.
Best,
Geoff
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org