Re: Logjam mitigation for Wheezy?

To: debian-security@lists.debian.org
Subject: Re: Logjam mitigation for Wheezy?
From: Thorsten Glaser <tg@mirbsd.de>
Date: Tue, 2 Jun 2015 14:01:47 +0000 (UTC)
Message-id: <[🔎] loom.20150602T155939-434@post.gmane.org>
References: <20150520164735.GB24453@randomstring.org> <1633427.sqntbNTtro@k>

Stefan Fritsch <sf <at> sfritsch.de> writes:

> It is also possible to 
> load custom DH params from the SSLCertificateFile, but AFAICS this 
> needs to be done for each vhost.

That sounds like an option, but isn’t available in wheezy yet ☹
but if you’re going to ship it via wheezy-security… great!

Michael Stone <mstone <at> debian.org> writes:

> You can mitigate it right now by reconfiguring your server to remove DH 
> ciphers from SSLCipherSuite.

That’s throwing the baby out with the bathwater and removing the
ability to use PFS with clients that do not use ECC, for whatever
reason (any discussing these reasons is off-topic). So, no. Bad
advice, actually, which should not be given.

bye,
//mirabilos

Reply to:

Follow-Ups:
- Re: Logjam mitigation for Wheezy?
  - From: Michael Stone <mstone@debian.org>

Next by Date: Re: Logjam mitigation for Wheezy?
Next by thread: Re: Logjam mitigation for Wheezy?
Index(es):
- Date
- Thread