* [gentoo-user] logjam vulnerability
@ 2015-05-21 12:53 Stefan G. Weichinger
2015-05-21 15:09 ` Paul Tobias
0 siblings, 1 reply; 3+ messages in thread
From: Stefan G. Weichinger @ 2015-05-21 12:53 UTC (permalink / raw
To: gentoo-user
Heard of logjam today -> https://weakdh.org
Tried to fix it following:
https://weakdh.org/sysadmin.html
for postfix that works
for apache-2.2.29 (=stable gentoo package) I googled that one has to
# cat dhparams.pem >> /my/ssl_cert_file
and restart apache
But even then the tests at weakdh.org and
https://www.ssllabs.com/ssltest/analyze.html
tell me I have too weak DH groups
Does anyone have the same issue? And a solution?
Thanks, regards, Stefan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] logjam vulnerability
2015-05-21 12:53 [gentoo-user] logjam vulnerability Stefan G. Weichinger
@ 2015-05-21 15:09 ` Paul Tobias
2015-05-21 16:16 ` Stefan G. Weichinger
0 siblings, 1 reply; 3+ messages in thread
From: Paul Tobias @ 2015-05-21 15:09 UTC (permalink / raw
To: gentoo-user
On 21 May 2015 at 13:53, Stefan G. Weichinger <lists@xunil.at> wrote:
>
> Heard of logjam today -> https://weakdh.org
>
> Tried to fix it following:
>
> https://weakdh.org/sysadmin.html
>
> for postfix that works
>
> for apache-2.2.29 (=stable gentoo package) I googled that one has to
>
> # cat dhparams.pem >> /my/ssl_cert_file
>
> and restart apache
Hmm, where did you read that?
The custom DH parameters are supported in SSLCertificateFile with
apache >= 2.4.7. (see
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile)
Unfortunately the suggested SSLOpenSSLConfCmd option from
https://weakdh.org/sysadmin.html is available only from apache >=
2.4.8 (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslopensslconfcmd)
> But even then the tests at weakdh.org and
>
> https://www.ssllabs.com/ssltest/analyze.html
>
> tell me I have too weak DH groups
>
> Does anyone have the same issue? And a solution?
>
> Thanks, regards, Stefan
With apache 2.2 you'll have to patch manually for now, for example
this patch: http://serverfault.com/a/693448/88476 I don't run any
apache 2.2 instances so I can't test.
Fortunately it's quite easy to apply custom patches with gentoo:
https://wiki.gentoo.org/wiki//etc/portage/patches
Have a nice day,
Paul
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] logjam vulnerability
2015-05-21 15:09 ` Paul Tobias
@ 2015-05-21 16:16 ` Stefan G. Weichinger
0 siblings, 0 replies; 3+ messages in thread
From: Stefan G. Weichinger @ 2015-05-21 16:16 UTC (permalink / raw
To: gentoo-user
On 21.05.2015 17:09, Paul Tobias wrote:
>> for apache-2.2.29 (=stable gentoo package) I googled that one has to
>>
>> # cat dhparams.pem >> /my/ssl_cert_file
>>
>> and restart apache
>
> Hmm, where did you read that?
for example, in here:
http://serverfault.com/questions/693241/how-to-fix-logjam-vulnerability-in-apache-httpd/693244#693244
but also in a german thread somewhere.
> With apache 2.2 you'll have to patch manually for now, for example
> this patch: http://serverfault.com/a/693448/88476 I don't run any
> apache 2.2 instances so I can't test.
>
> Fortunately it's quite easy to apply custom patches with gentoo:
> https://wiki.gentoo.org/wiki//etc/portage/patches
sure, no problem.
Don't you think there will be an updated ebuild in portage soon?
so far nothing on b.g.o.
Stefan
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-05-21 16:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-21 12:53 [gentoo-user] logjam vulnerability Stefan G. Weichinger
2015-05-21 15:09 ` Paul Tobias
2015-05-21 16:16 ` Stefan G. Weichinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox