Date: Thu, 21 May 2015 08:59:40 +0200 (CEST) From: Winfried Neessen <neessen@cleverbridge.com> To: freebsd-security@freebsd.org Cc: ports@freebsd.org Subject: Re: LogJam exploit can force TLS down to 512 bytes, does it affect us? ? Message-ID: <347004930.963898.1432191580437.JavaMail.zimbra@cleverbridge.com> In-Reply-To: <1500859835.963897.1432191554381.JavaMail.zimbra@cleverbridge.com> References: <201505202140.t4KLekE6081029@fire.js.berklix.net> <555D0F37.8040605@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, > The document at https://weakdh.org/sysadmin.html gives additional > information for individual daemons, including Apache (mod_ssl), nginx, > lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy. > Unfortunately the documentation does only offer guidance for Apache 2.4. As Apache 2.2 does not support the "SSLOpenSSLConfCmd" config parameter, I've created a "rather ugly but seems to work" workaround for Apache 2.2, which switches the pre-shipped default 512/1024 bits DH parameters to a set of self-generated 2048/3072 bit DH params. There is also a quick and dirty (even more ugly) patch for the /usr/ports/www/apache22 Makefile, that automagically applies the workaround. It can be found here: http://nop.li/dy Winni
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?347004930.963898.1432191580437.JavaMail.zimbra>