Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 May 2015 10:23:03 +0200
From:      "Julian H. Stacey" <jhs@berklix.com>
To:        apache@FreeBSD.org
Cc:        Winfried Neessen <neessen@cleverbridge.com>
Subject:   Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? (fwd)
Message-ID:  <201505210823.t4L8N3oZ087047@fire.js.berklix.net>

next in thread | raw e-mail | index | archive | help
Hi apache@FreeBSD.org as MAINTAINER= of currrent www/apache22/Makefile 
cc'd Winfried Neessen <neessen@cleverbridge.com>

Here's Winfried Neessen's mail below 
with a patch may interest dev@httpd.apache.org

Forwarded from: "Julian H. Stacey" <jhs@berklix.com> http://berklix.com/~jhs/

------- Forwarded Message

>From owner-freebsd-ports@freebsd.org Thu May 21 09:56:33 2015
Date: Thu, 21 May 2015 08:59:40 +0200 (CEST)
From: Winfried Neessen <neessen@cleverbridge.com>
To: freebsd-security@freebsd.org
Message-ID: <347004930.963898.1432191580437.JavaMail.zimbra@cleverbridge.com>
In-Reply-To: <1500859835.963897.1432191554381.JavaMail.zimbra@cleverbridge.com>
References: <201505202140.t4KLekE6081029@fire.js.berklix.net>
 <555D0F37.8040605@delphij.net>
Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect
 us? ?
MIME-Version: 1.0
X-Originating-IP: [10.0.5.154]
Thread-Topic: LogJam exploit can force TLS down to 512 bytes,
 does it affect us? ?
Thread-Index: CTgCHW/Aupdj4D2lnL6PApqYKVe3DQ==
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>;
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
Cc: ports@freebsd.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: owner-freebsd-ports@freebsd.org
Sender: owner-freebsd-ports@freebsd.org

Hi,

> The document at https://weakdh.org/sysadmin.html gives additional
> information for individual daemons, including Apache (mod_ssl), nginx,
> lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy.
> 

Unfortunately the documentation does only offer guidance for Apache 2.4.
As Apache 2.2 does not support the "SSLOpenSSLConfCmd" config parameter,
I've created a "rather ugly but seems to work" workaround for Apache 2.2,
which switches the pre-shipped default 512/1024 bits DH parameters to a
set of self-generated 2048/3072 bit DH params. There is also a quick and
dirty (even more ugly) patch for the /usr/ports/www/apache22 Makefile, 
that automagically applies the workaround. It can be found here:
http://nop.li/dy


Winni
_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org"


------- End of Forwarded Message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201505210823.t4L8N3oZ087047>