On Wednesday 20 May 2015 12:47:35, Dan Ritter wrote: > In particular, Apache 2.2 does not have > SSLOpenSSLConfCmd DHParameters > as a configurable option. It looks like that only shows up in > 2.4, which is not in wheezy-backports.
> So I guess this is a request for either a fix for Apache 2.2 or a > backport of 2.4 to wheezy. As I understand it, backporting SSLOpenSSLConfCmd would require a newer openssl than what is available in wheezy or jessie. Apache 2.4 in jessie uses precomputed DH params that are at least as long as the RSA key size (up to 8192 bits). This gives 2048 bit DH params for the most common 2048 bit RSA keys, which seems to be safe even though they are the same for all servers. It is also possible to load custom DH params from the SSLCertificateFile, but AFAICS this needs to be done for each vhost. I am planning to backport these improvements to apache 2.2 in wheezy. There are already patches available from upstream. Backporting 2.4 to wheezy is not feasible because of all the modules that would need to be backported, too. Cheers, Stefan -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1633427.sqntbNTtro@k
