[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[PATCH] Re: Logjam mitigation for Wheezy?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

On Wed, 20 May 2015, Stefan Fritsch wrote:

> Apache 2.4 in jessie uses precomputed DH params that are at least as 
> long as the RSA key size (up to 8192 bits). This gives 2048 bit DH 
[…]
> I am planning to backport these improvements to apache 2.2 in wheezy. 
> There are already patches available from upstream.

I’ve just done so: both the “precomputed, up to 8192 bits” part
(which already makes Qualys not cap the grade to B, but is not
the proper fix, because, in the end, people will just pregenerate
for the Debian-shipped group too) and the “load DH parameters from
the first SSLCertificateFile” part.

I’ve tested both parts with openssl(1) 1.0.2a (self-compiled from
sources) and had a look at both the weakdh and the Qualys checker.

Please, feel free to make this into a proper wheezy-security upload
until such time as more stuff from 2.2.30 is backported.

My backport is, basically, a reduced and edited SVN diff between
upstream tags/2.2.29 and branches/2.2.x limited to the two parts
I mentioned above (they come together in the same code, so…). I’ve
only edited the documentation slightly (remove the reference to
Apache 2.2.30 in two places) and resolved merge conflicts, but did
not change anything besides.

debdiff plus PGP signature attached. (Signed by my work key, but
that’s signed by my DD(emeritus)-key, so you know.)

bye,
//mirabilos
- -- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: ☃ ЦΤℱ—8 ☕☂☄

iQIcBAEBCQAGBQJVbworAAoJEIlQwYleuNOz5dgP/1RLKA4qTJHHwhWGGmjgiDIe
brKkpJvxu50WrvPW9Ic+5Y7ciwp2rBHCmGlkxDAxz6AARDic14V0vJn1nXPqAQZO
IgECHU2X6TGhKnE4WSQBaGVvoZfbpkv9Be5YLvVYL49WA95hu6EnzlfkqtfJJNWa
z4rZ6y2VORYo9GLPgf/rgoi/4id//G2/VPA1twQG79vERe7v1aXmPO2rtvzhHnWI
8/GvCUoN8CGUf+9RCBuhbfRAz04EtPSNStEB3E+U37hgKvtGbbj8JTqSbcu0vh2L
t0EhqoEvWmzCo3ZKJB6xm4wxNUPbEYNWDvU+ogREMk6GcRN+WTAFmoS3POECG9jV
2Hd62YpQ1uRt+Tzf5wdXy6tdokfitdbLBAlJAqtOKsTo9eOdeK6rPPTAcLz7BTm+
JFVrtWWixE3mxsKMRCzZoCQi1jea4Mopzf10nVH5WQN/OliU9qauyTwIZqqGsE+U
u7fPZfKrdjMb9fHbHtodGIztsjGNwz8ypXxGjgc/kPzakOUOz9/t9ih7gv+pftbM
yVr9QJQbSbmqZAKZbMGAPCiJp7RdglHFNw3qAcQ8ZS7izOI/m8HDqSbp7hFzdhFq
Zgwij50pv2rQixvoMZHeqQGSSTKy0z3qhbDmYSu5fbwuveXUKVcZ72N8XxvtHYQ5
N3ZPLorbE+ovTbzjfIDV
=QeTq
-----END PGP SIGNATURE-----

Attachment: apache2_2.2.22-13+deb7u4tarent1.debdiff.xz
Description: application/xz

Attachment: apache2_2.2.22-13+deb7u4tarent1.debdiff.xz.sig
Description: PGP signature


Reply to: