LogJam exploit can force TLS down to 512 bytes, does it affect us? ? (fwd)

Julian H. Stacey jhs at berklix.com
Thu May 21 08:23:28 UTC 2015


Hi apache at FreeBSD.org as MAINTAINER= of currrent www/apache22/Makefile 
cc'd Winfried Neessen <neessen at cleverbridge.com>

Here's Winfried Neessen's mail below 
with a patch may interest dev at httpd.apache.org

Forwarded from: "Julian H. Stacey" <jhs at berklix.com> http://berklix.com/~jhs/

------- Forwarded Message

>From owner-freebsd-ports at freebsd.org Thu May 21 09:56:33 2015
Date: Thu, 21 May 2015 08:59:40 +0200 (CEST)
From: Winfried Neessen <neessen at cleverbridge.com>
To: freebsd-security at freebsd.org
Message-ID: <347004930.963898.1432191580437.JavaMail.zimbra at cleverbridge.com>
In-Reply-To: <1500859835.963897.1432191554381.JavaMail.zimbra at cleverbridge.com>
References: <201505202140.t4KLekE6081029 at fire.js.berklix.net>
 <555D0F37.8040605 at delphij.net>
Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect
 us? ?
MIME-Version: 1.0
X-Originating-IP: [10.0.5.154]
Thread-Topic: LogJam exploit can force TLS down to 512 bytes,
 does it affect us? ?
Thread-Index: CTgCHW/Aupdj4D2lnL6PApqYKVe3DQ==
X-BeenThere: freebsd-ports at freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request at freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports at freebsd.org>
List-Help: <mailto:freebsd-ports-request at freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request at freebsd.org?subject=subscribe>
Cc: ports at freebsd.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: owner-freebsd-ports at freebsd.org
Sender: owner-freebsd-ports at freebsd.org

Hi,

> The document at https://weakdh.org/sysadmin.html gives additional
> information for individual daemons, including Apache (mod_ssl), nginx,
> lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy.
> 

Unfortunately the documentation does only offer guidance for Apache 2.4.
As Apache 2.2 does not support the "SSLOpenSSLConfCmd" config parameter,
I've created a "rather ugly but seems to work" workaround for Apache 2.2,
which switches the pre-shipped default 512/1024 bits DH parameters to a
set of self-generated 2048/3072 bit DH params. There is also a quick and
dirty (even more ugly) patch for the /usr/ports/www/apache22 Makefile, 
that automagically applies the workaround. It can be found here:
http://nop.li/dy


Winni
_______________________________________________
freebsd-ports at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"


------- End of Forwarded Message


More information about the freebsd-apache mailing list