LogJam exploit can force TLS down to 512 bytes, does it affect us? ?
Winfried Neessen
neessen at cleverbridge.com
Thu May 21 07:07:26 UTC 2015
Hi,
> The document at https://weakdh.org/sysadmin.html gives additional
> information for individual daemons, including Apache (mod_ssl), nginx,
> lighttpd, Tomcat, postfix, sendmail, dovecot and HAProxy.
>
Unfortunately the documentation does only offer guidance for Apache 2.4.
As Apache 2.2 does not support the "SSLOpenSSLConfCmd" config parameter,
I've created a "rather ugly but seems to work" workaround for Apache 2.2,
which switches the pre-shipped default 512/1024 bits DH parameters to a
set of self-generated 2048/3072 bit DH params. There is also a quick and
dirty (even more ugly) patch for the /usr/ports/www/apache22 Makefile,
that automagically applies the workaround. It can be found here:
http://nop.li/dy
Winni
More information about the freebsd-security
mailing list