From: | Paul Tobias <tobias.pal@×××××.com> | ||
---|---|---|---|
To: | gentoo-user@l.g.o | ||
Subject: | Re: [gentoo-user] logjam vulnerability | ||
Date: | Thu, 21 May 2015 15:10:33 | ||
Message-Id: | CABHv7=qgP-+j+Hpy4L=xma29VcTwAF4_O9W3S_6xUWaZ62YyzA@mail.gmail.com | ||
In Reply to: | [gentoo-user] logjam vulnerability by "Stefan G. Weichinger" |
1 | On 21 May 2015 at 13:53, Stefan G. Weichinger <lists@×××××.at> wrote: |
2 | > |
3 | > Heard of logjam today -> https://weakdh.org |
4 | > |
5 | > Tried to fix it following: |
6 | > |
7 | > https://weakdh.org/sysadmin.html |
8 | > |
9 | > for postfix that works |
10 | > |
11 | > for apache-2.2.29 (=stable gentoo package) I googled that one has to |
12 | > |
13 | > # cat dhparams.pem >> /my/ssl_cert_file |
14 | > |
15 | > and restart apache |
16 | |
17 | Hmm, where did you read that? |
18 | |
19 | The custom DH parameters are supported in SSLCertificateFile with |
20 | apache >= 2.4.7. (see |
21 | https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile) |
22 | |
23 | Unfortunately the suggested SSLOpenSSLConfCmd option from |
24 | https://weakdh.org/sysadmin.html is available only from apache >= |
25 | 2.4.8 (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslopensslconfcmd) |
26 | |
27 | > But even then the tests at weakdh.org and |
28 | > |
29 | > https://www.ssllabs.com/ssltest/analyze.html |
30 | > |
31 | > tell me I have too weak DH groups |
32 | > |
33 | > Does anyone have the same issue? And a solution? |
34 | > |
35 | > Thanks, regards, Stefan |
36 | |
37 | With apache 2.2 you'll have to patch manually for now, for example |
38 | this patch: http://serverfault.com/a/693448/88476 I don't run any |
39 | apache 2.2 instances so I can't test. |
40 | |
41 | Fortunately it's quite easy to apply custom patches with gentoo: |
42 | https://wiki.gentoo.org/wiki//etc/portage/patches |
43 | |
44 | Have a nice day, |
45 | Paul |
Subject | Author |
---|---|
Re: [gentoo-user] logjam vulnerability | "Stefan G. Weichinger" <lists@×××××.at> |