Re: Logjam mitigation for Wheezy?
On Wednesday 20 May 2015 12:47:35, Dan Ritter wrote:
> In particular, Apache 2.2 does not have
> SSLOpenSSLConfCmd DHParameters
> as a configurable option. It looks like that only shows up in
> 2.4, which is not in wheezy-backports.
> So I guess this is a request for either a fix for Apache 2.2 or a
> backport of 2.4 to wheezy.
As I understand it, backporting SSLOpenSSLConfCmd would require a
newer openssl than what is available in wheezy or jessie.
Apache 2.4 in jessie uses precomputed DH params that are at least as
long as the RSA key size (up to 8192 bits). This gives 2048 bit DH
params for the most common 2048 bit RSA keys, which seems to be safe
even though they are the same for all servers. It is also possible to
load custom DH params from the SSLCertificateFile, but AFAICS this
needs to be done for each vhost.
I am planning to backport these improvements to apache 2.2 in wheezy.
There are already patches available from upstream.
Backporting 2.4 to wheezy is not feasible because of all the modules
that would need to be backported, too.
Cheers,
Stefan
Reply to: