From owner-freebsd-apache@FreeBSD.ORG Thu May 21 08:23:28 2015 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0805C41E for ; Thu, 21 May 2015 08:23:28 +0000 (UTC) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 859731688 for ; Thu, 21 May 2015 08:23:26 +0000 (UTC) Received: from mart.js.berklix.net (pD9FBFC6B.dip0.t-ipconnect.de [217.251.252.107]) (authenticated bits=128) by slim.berklix.org (8.14.5/8.14.5) with ESMTP id t4L8OXJH029356; Thu, 21 May 2015 10:24:33 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id t4L8NLF6015467; Thu, 21 May 2015 10:23:21 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id t4L8N3oZ087047; Thu, 21 May 2015 10:23:15 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201505210823.t4L8N3oZ087047@fire.js.berklix.net> To: apache@FreeBSD.org cc: Winfried Neessen Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? (fwd) From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com/~jhs/cv/ Date: Thu, 21 May 2015 10:23:03 +0200 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2015 08:23:28 -0000 Hi apache@FreeBSD.org as MAINTAINER= of currrent www/apache22/Makefile cc'd Winfried Neessen Here's Winfried Neessen's mail below with a patch may interest dev@httpd.apache.org Forwarded from: "Julian H. Stacey" http://berklix.com/~jhs/ ------- Forwarded Message >From owner-freebsd-ports@freebsd.org Thu May 21 09:56:33 2015 Date: Thu, 21 May 2015 08:59:40 +0200 (CEST) From: Winfried Neessen To: freebsd-security@freebsd.org Message-ID: <347004930.963898.1432191580437.JavaMail.zimbra@cleverbridge.com> In-Reply-To: <1500859835.963897.1432191554381.JavaMail.zimbra@cleverbridge.com> References: <201505202140.t4KLekE6081029@fire.js.berklix.net> <555D0F37.8040605@delphij.net> Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? MIME-Version: 1.0 X-Originating-IP: [10.0.5.154] Thread-Topic: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? Thread-Index: CTgCHW/Aupdj4D2lnL6PApqYKVe3DQ== X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: ports@freebsd.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: owner-freebsd-ports@freebsd.org Sender: owner-freebsd-ports@freebsd.org Hi, > The document at https://weakdh.org/sysadmin.html gives additional > information for individual daemons, including Apache (mod_ssl), nginx, > lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy. > Unfortunately the documentation does only offer guidance for Apache 2.4. As Apache 2.2 does not support the "SSLOpenSSLConfCmd" config parameter, I've created a "rather ugly but seems to work" workaround for Apache 2.2, which switches the pre-shipped default 512/1024 bits DH parameters to a set of self-generated 2048/3072 bit DH params. There is also a quick and dirty (even more ugly) patch for the /usr/ports/www/apache22 Makefile, that automagically applies the workaround. It can be found here: http://nop.li/dy Winni _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" ------- End of Forwarded Message