Gentoo Archives: gentoo-user

From:	Paul Tobias <tobias.pal@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] logjam vulnerability
Date:	Thu, 21 May 2015 15:10:33
Message-Id:	`CABHv7=qgP-+j+Hpy4L=xma29VcTwAF4_O9W3S_6xUWaZ62YyzA@mail.gmail.com`
In Reply to:	[gentoo-user] logjam vulnerability by "Stefan G. Weichinger"

1	On 21 May 2015 at 13:53, Stefan G. Weichinger <lists@×××××.at> wrote:
2	>
3	> Heard of logjam today -> https://weakdh.org
4	>
5	> Tried to fix it following:
6	>
7	> https://weakdh.org/sysadmin.html
8	>
9	> for postfix that works
10	>
11	> for apache-2.2.29 (=stable gentoo package) I googled that one has to
12	>
13	> # cat dhparams.pem >> /my/ssl_cert_file
14	>
15	> and restart apache
16
17	Hmm, where did you read that?
18
19	The custom DH parameters are supported in SSLCertificateFile with
20	apache >= 2.4.7. (see
21	https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile)
22
23	Unfortunately the suggested SSLOpenSSLConfCmd option from
24	https://weakdh.org/sysadmin.html is available only from apache >=
25	2.4.8 (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslopensslconfcmd)
26
27	> But even then the tests at weakdh.org and
28	>
29	> https://www.ssllabs.com/ssltest/analyze.html
30	>
31	> tell me I have too weak DH groups
32	>
33	> Does anyone have the same issue? And a solution?
34	>
35	> Thanks, regards, Stefan
36
37	With apache 2.2 you'll have to patch manually for now, for example
38	this patch: http://serverfault.com/a/693448/88476 I don't run any
39	apache 2.2 instances so I can't test.
40
41	Fortunately it's quite easy to apply custom patches with gentoo:
42	https://wiki.gentoo.org/wiki//etc/portage/patches
43
44	Have a nice day,
45	Paul

Subject	Author
Re: [gentoo-user] logjam vulnerability	"Stefan G. Weichinger" <lists@×××××.at>