-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 On Wed, 20 May 2015, Stefan Fritsch wrote: > Apache 2.4 in jessie uses precomputed DH params that are at least as > long as the RSA key size (up to 8192 bits). This gives 2048 bit DH […] > I am planning to backport these improvements to apache 2.2 in wheezy. > There are already patches available from upstream. I’ve just done so: both the “precomputed, up to 8192 bits” part (which already makes Qualys not cap the grade to B, but is not the proper fix, because, in the end, people will just pregenerate for the Debian-shipped group too) and the “load DH parameters from the first SSLCertificateFile” part. I’ve tested both parts with openssl(1) 1.0.2a (self-compiled from sources) and had a look at both the weakdh and the Qualys checker. Please, feel free to make this into a proper wheezy-security upload until such time as more stuff from 2.2.30 is backported. My backport is, basically, a reduced and edited SVN diff between upstream tags/2.2.29 and branches/2.2.x limited to the two parts I mentioned above (they come together in the same code, so…). I’ve only edited the documentation slightly (remove the reference to Apache 2.2.30 in two places) and resolved merge conflicts, but did not change anything besides. debdiff plus PGP signature attached. (Signed by my work key, but that’s signed by my DD(emeritus)-key, so you know.) bye, //mirabilos - -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: ☃ ЦΤℱ—8 ☕☂☄ iQIcBAEBCQAGBQJVbworAAoJEIlQwYleuNOz5dgP/1RLKA4qTJHHwhWGGmjgiDIe brKkpJvxu50WrvPW9Ic+5Y7ciwp2rBHCmGlkxDAxz6AARDic14V0vJn1nXPqAQZO IgECHU2X6TGhKnE4WSQBaGVvoZfbpkv9Be5YLvVYL49WA95hu6EnzlfkqtfJJNWa z4rZ6y2VORYo9GLPgf/rgoi/4id//G2/VPA1twQG79vERe7v1aXmPO2rtvzhHnWI 8/GvCUoN8CGUf+9RCBuhbfRAz04EtPSNStEB3E+U37hgKvtGbbj8JTqSbcu0vh2L t0EhqoEvWmzCo3ZKJB6xm4wxNUPbEYNWDvU+ogREMk6GcRN+WTAFmoS3POECG9jV 2Hd62YpQ1uRt+Tzf5wdXy6tdokfitdbLBAlJAqtOKsTo9eOdeK6rPPTAcLz7BTm+ JFVrtWWixE3mxsKMRCzZoCQi1jea4Mopzf10nVH5WQN/OliU9qauyTwIZqqGsE+U u7fPZfKrdjMb9fHbHtodGIztsjGNwz8ypXxGjgc/kPzakOUOz9/t9ih7gv+pftbM yVr9QJQbSbmqZAKZbMGAPCiJp7RdglHFNw3qAcQ8ZS7izOI/m8HDqSbp7hFzdhFq Zgwij50pv2rQixvoMZHeqQGSSTKy0z3qhbDmYSu5fbwuveXUKVcZ72N8XxvtHYQ5 N3ZPLorbE+ovTbzjfIDV =QeTq -----END PGP SIGNATURE-----
Attachment:
apache2_2.2.22-13+deb7u4tarent1.debdiff.xz
Description: application/xz
Attachment:
apache2_2.2.22-13+deb7u4tarent1.debdiff.xz.sig
Description: PGP signature