[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#733564: pu: apache2 with ECDHE support

Am Sonntag, 29. Dezember 2013, 23:58:54 schrieb Kurt Roeckx:
> I would like to see apache in stable support ECDHE.

I agree with Kurt that this is desirable. The perception what ciphers 
can be considered secure has changed greatly since wheezy has been 
frozen. Adding more options is good.

> This was added somewhere in a 2.3 version and so only part of a
> stable release in 2.4.

This has been backported to 2.2.26 in the meantime: 
http://svn.apache.org/viewvc?view=revision&revision=r1540727
more readable diff: 
https://github.com/apache/httpd/commit/058a25cdcb42572867d613ec13c68a350b9d57b6

This is what I intended to backport to wheezy, but I wanted to wait 
until 2.2.26 had actually been released and didn't get around to it, 
yet.

> The reason I want to see is ECDHE is that we want (Perfect)
> Forward Secrecy (PFS).  Apache supports with with DHE, but
> DHE has some problems:
> - It's much slower than an RSA key exchange.  ECDHE on the
>   other had is much faster than DHE.
> - apache 2.2 only supports 1024 bit DH keys.  It might be
>   configurable in later versions.  We really want to see 2048 bit
>   DH keys.  The number of 1024 bit certificates itself has already
>   been reduced to about 1.5%, so the DH key then becomes the
>   weakest point in chain.  However many of the client can't handle
>   keys that are larger than 1024.  With ECDHE a 256 bit key would
>   be enough and all clients I know about that support ECDHE
>   support at least 256 bits.

Support for larger DH parameters is only available in 2.4.7 so far. 
But for a stable update in Debian, I would strongly prefer if the 
corresponding patch was released in a 2.2.x upstream release before. 
Therefore this part would come in a later point release. If at all: 
the changes in 2.4.7 were rather intrusive and removed some (obsolete) 
features.

> ECDHE also has a known broken implementation.  OS X 10.8..10.8.3
> has broken support for ECDHE-ECDSA ciphers.  Stats from mozilla
> show that about 8.4% of the ciphers the browser negiotates since
> the put ECDHE on top of their prefered list is using ECDHE-ECDSA.
> They see about 23.5% with ECDHE support.  This at least gives
> the impression that about 35% of the sites would want to use
> ECDHE-ECDSA, but it might also be a few sites that have lots
> of traffic.  (The rest would use ECDHE_RSA.)  I have no better
> stats for this, but it's clearly something we need to take into
> account.
> 
> OpenSSL has added support to try and detect this broken version
> and avoid selecting the ECDHE-ECDSA in that case, but that
> detection is currently not in wheezy, but it did just make it
> to jessie.
>
> Adding ECDHE support in apache will probably require backporting
> the patches for that.  I'm not sure how much work that is going
> to be and wether someone like redhat might have already done that.

I don't know how quickly upgrades are ususally adopted in MacOS land, 
but considering that 10.8.5 is out I think it would be even acceptable 
to update apache without that openssl workaround, as long as the 
readme contains exact instructions how to disable ECDHE in case of 
problems. But of course having the openssl workaround would be even 
better.

Cheers,
Stefan
Reply to: