Re: Logjam mitigation for Wheezy?

To: debian-security@lists.debian.org
Subject: Re: Logjam mitigation for Wheezy?
From: Starchy Grant <starchy@eff.org>
Date: Wed, 20 May 2015 15:18:48 -0700
Message-id: <[🔎] 555D0848.9090604@eff.org>
In-reply-to: <[🔎] 8c546854-ff18-11e4-9b6a-00163eeb5320@msgid.mathom.us>
References: <[🔎] 20150520164735.GB24453@randomstring.org> <[🔎] 8c546854-ff18-11e4-9b6a-00163eeb5320@msgid.mathom.us>

On 05/20/2015 10:53 AM, Michael Stone wrote:
> On Wed, May 20, 2015 at 12:47:35PM -0400, Dan Ritter wrote:
>> Is there any chance of getting Logjam ( https://weakdh.org/ )
>> mitigation for Wheezy packages?
> 
> You can mitigate it right now by reconfiguring your server to remove DH
> ciphers from SSLCipherSuite.

This particular configuration works very well with Apache 2.2:

    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP
!PSK !SRP !DSS

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Logjam mitigation for Wheezy?
  - From: Dan Ritter <dsr@randomstring.org>
- Re: Logjam mitigation for Wheezy?
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: Logjam mitigation for Wheezy?
Next by Date: Upcoming stable point release (8.1)
Previous by thread: Re: Logjam mitigation for Wheezy?
Next by thread: Re: Logjam mitigation for Wheezy?
Index(es):
- Date
- Thread