From owner-freebsd-security@FreeBSD.ORG Thu May 21 07:07:26 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 48938D4B; Thu, 21 May 2015 07:07:26 +0000 (UTC) Received: from mail.cleverbridge.com (mail.cleverbridge.com [89.1.11.32]) by mx1.freebsd.org (Postfix) with ESMTP id 0093B1AFA; Thu, 21 May 2015 07:07:25 +0000 (UTC) Received: from homer.cgn.cleverbridge.com (homer.cgn.cleverbridge.com [10.0.5.150]) by mail.cleverbridge.com (Postfix) with ESMTP id 412709C54B4; Thu, 21 May 2015 08:59:42 +0200 (CEST) Received: from localhost (unknown [127.0.0.1]) by homer.cgn.cleverbridge.com (Postfix) with ESMTP id 3B6C88B4005A; Thu, 21 May 2015 08:59:42 +0200 (CEST) Received: from homer.cgn.cleverbridge.com ([127.0.0.1]) by localhost (homer.cgn.cleverbridge.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id foTUuew2jxQQ; Thu, 21 May 2015 08:59:41 +0200 (CEST) Received: from localhost (unknown [127.0.0.1]) by homer.cgn.cleverbridge.com (Postfix) with ESMTP id 1AB0B8B4007C; Thu, 21 May 2015 08:59:41 +0200 (CEST) X-Virus-Scanned: amavisd-new at homer.cgn.cleverbridge.com Received: from homer.cgn.cleverbridge.com ([127.0.0.1]) by localhost (homer.cgn.cleverbridge.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id J2LwiUi0N0Xc; Thu, 21 May 2015 08:59:40 +0200 (CEST) Received: from homer.cgn.cleverbridge.com (homer.cgn.cleverbridge.com [10.0.5.150]) by homer.cgn.cleverbridge.com (Postfix) with ESMTP id EC0DC8B4005A; Thu, 21 May 2015 08:59:40 +0200 (CEST) Date: Thu, 21 May 2015 08:59:40 +0200 (CEST) From: Winfried Neessen To: freebsd-security@freebsd.org Cc: ports@freebsd.org Message-ID: <347004930.963898.1432191580437.JavaMail.zimbra@cleverbridge.com> In-Reply-To: <1500859835.963897.1432191554381.JavaMail.zimbra@cleverbridge.com> References: <201505202140.t4KLekE6081029@fire.js.berklix.net> <555D0F37.8040605@delphij.net> Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [10.0.5.154] X-Mailer: Zimbra 8.5.0_GA_3050 (ZimbraWebClient - GC42 (Win)/8.5.0_GA_3042) Thread-Topic: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? Thread-Index: CTgCHW/Aupdj4D2lnL6PApqYKVe3DQ== X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2015 07:07:26 -0000 Hi, > The document at https://weakdh.org/sysadmin.html gives additional > information for individual daemons, including Apache (mod_ssl), nginx, > lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy. > Unfortunately the documentation does only offer guidance for Apache 2.4. As Apache 2.2 does not support the "SSLOpenSSLConfCmd" config parameter, I've created a "rather ugly but seems to work" workaround for Apache 2.2, which switches the pre-shipped default 512/1024 bits DH parameters to a set of self-generated 2048/3072 bit DH params. There is also a quick and dirty (even more ugly) patch for the /usr/ports/www/apache22 Makefile, that automagically applies the workaround. It can be found here: http://nop.li/dy Winni