Date: Thu, 21 May 2015 10:23:03 +0200 From: "Julian H. Stacey" <jhs@berklix.com> To: apache@FreeBSD.org Cc: Winfried Neessen <neessen@cleverbridge.com> Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? (fwd) Message-ID: <201505210823.t4L8N3oZ087047@fire.js.berklix.net>
next in thread | raw e-mail | index | archive | help
Hi apache@FreeBSD.org as MAINTAINER= of currrent www/apache22/Makefile cc'd Winfried Neessen <neessen@cleverbridge.com> Here's Winfried Neessen's mail below with a patch may interest dev@httpd.apache.org Forwarded from: "Julian H. Stacey" <jhs@berklix.com> http://berklix.com/~jhs/ ------- Forwarded Message >From owner-freebsd-ports@freebsd.org Thu May 21 09:56:33 2015 Date: Thu, 21 May 2015 08:59:40 +0200 (CEST) From: Winfried Neessen <neessen@cleverbridge.com> To: freebsd-security@freebsd.org Message-ID: <347004930.963898.1432191580437.JavaMail.zimbra@cleverbridge.com> In-Reply-To: <1500859835.963897.1432191554381.JavaMail.zimbra@cleverbridge.com> References: <201505202140.t4KLekE6081029@fire.js.berklix.net> <555D0F37.8040605@delphij.net> Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? MIME-Version: 1.0 X-Originating-IP: [10.0.5.154] Thread-Topic: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? Thread-Index: CTgCHW/Aupdj4D2lnL6PApqYKVe3DQ== X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>, <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>; List-Post: <mailto:freebsd-ports@freebsd.org> List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>, <mailto:freebsd-ports-request@freebsd.org?subject=subscribe> Cc: ports@freebsd.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: owner-freebsd-ports@freebsd.org Sender: owner-freebsd-ports@freebsd.org Hi, > The document at https://weakdh.org/sysadmin.html gives additional > information for individual daemons, including Apache (mod_ssl), nginx, > lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy. > Unfortunately the documentation does only offer guidance for Apache 2.4. As Apache 2.2 does not support the "SSLOpenSSLConfCmd" config parameter, I've created a "rather ugly but seems to work" workaround for Apache 2.2, which switches the pre-shipped default 512/1024 bits DH parameters to a set of self-generated 2048/3072 bit DH params. There is also a quick and dirty (even more ugly) patch for the /usr/ports/www/apache22 Makefile, that automagically applies the workaround. It can be found here: http://nop.li/dy Winni _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" ------- End of Forwarded Message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201505210823.t4L8N3oZ087047>