You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2015/06/01 18:17:30 UTC
[Bug 57984] New: Patch to add user-specified Diffie-Hellman
parameters to Apache 2.2.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=57984
Bug ID: 57984
Summary: Patch to add user-specified Diffie-Hellman parameters
to Apache 2.2.29
Product: Apache httpd-2
Version: 2.2.29
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: geoff@minaret.biz
Created attachment 32770
--> https://bz.apache.org/bugzilla/attachment.cgi?id=32770&action=edit
Patch to add user-specified Diffie-Hellman parameters to Apache 2.2.29
For those users who must continue to use Apache 2.2 (we mod_perl people do not
have a version that works with Apache 2.4), I have applied the patch from bug
report 49559 to version 2.2.29 of Apache. The patch adds support for
user-specified Diffie-Hellman parameters. This allows the use of 2048 bit user
generated DH groups, which in turn improves the security of the SSL connection
and makes it possible to earn a letter "A" grade from Entrust
(entrust.ssllabs.com) and helps to secure against the Logjam attack.
I am using the patch in an Apache 2.2.29 production environment and it works
perfectly. An updated patch (against 2.2.29 instead of 2.2.14) is attached to
this report.
In addition to installing the patch, admins must perform the following steps:
1) Run "openssl dhparam -out dhparams.pem 2048" and copy the resulting
"dhparams.pem" file to a private certificates directory of their server with as
restrictive permissions as possible (i.e. read-only root).
2) Add the following line to the SSL section of your Apache configuration:
SSLDHParametersFile "/PATH/TO/YOUR/CERTIFICATE/FILES/dhparams.pem"
Additional Apache configuration tips to protect against Logjam can be found at
many sites on the Internet, including "weakdh.org/sysadmin.html".
Many thanks to Erwann Abalea for the original patch. Remarkably, it was
submitted in 2010.
I hope this patch can be incorporated into the Apache 2.2 production stream for
the benefit of all admins who cannot, for whatever reason, move to Apache 2.4
yet.
Best,
Geoff
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57984] Patch to add user-specified Diffie-Hellman parameters to
Apache 2.2.29
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57984
--- Comment #1 from Rainer Jung <ra...@kippdata.de> ---
The original approach in BZ 49559 was not the one actually implemented in
2.4.x. In 2.4 starting with 2.4.7, first of all the strength of the default DH
params are derived from the strength of the certificate file. So if for example
the certificate uses a 2048 bit key, then httpd will automatically also choose
(standard) 2048 bit parameters for the ephemeral DH key exchange.
Furthermore you can generate custom params like in your approach, but instead
of putting them into a seperate file you configure with a new directive, you
just append the params to the first configured certificate file.
This approach has been backported to 2.2.x and will be part of 2.2.30.
You can test it by building a current (non-released) 2.2.x trunk or by applying
r1680916 (svn.apache.org/r1680916). Feedback on our approach is welcome. As
said it works the same way as a current 2.4 version.
The official release of 2.2.30 should not be too far in the future, but it has
not yet been tagged.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57984] Patch to add user-specified Diffie-Hellman parameters to
Apache 2.2.29
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57984
Yann Ylavic <yl...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57984] Patch to add user-specified Diffie-Hellman parameters to
Apache 2.2.29
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57984
--- Comment #2 from Geoff Mottram <ge...@minaret.biz> ---
Hi Rainer,
Thanks so much for your quick response. Your solution is totally superior and I
appreciate all efforts to backport security enhancements to 2.2 for those of us
who are unable to make the move to 2.4 at this time. I look forward to
implementing 2.2.30 when it arrives.
I withdraw my request but the patch does work for anyone who would like to use
it while waiting for 2.2.30.
Best,
Geoff
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org