[Bug 1197884] [NEW] apache2.2 SSL has no forward-secrecy: need ECDHE keys

[Launchpad Bug Tracker]

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Robie Basak (racb):

In the light of recent revelations about Prism/NSA/GCHQ etc, it is more
important than ever to keep SSL secure.

But... as far as I can tell, there exists no combination of SSL cIphers that satisfies all of:
 
 *  Resistant to the BEAST attack
 * Has Perfect Forward Secrecy
 * Is in Apache 2.2

[I'm testing with: https://www.ssllabs.com/ssltest/analyze.html ]

The only solution seems to be to deploy Apache 2.4 (or backport the
ECDHE ciphers into the 2.2 package).

Can I suggest therefore that the lack of Apache 2.4 packages represents
a serious security vulnerability to people visiting websites hosted on
Ubuntu.

This affects every currently released Ubuntu distro (including raring).
There is still no pacakge of apache 2.4, nor is there a backport of the
ECDHE feature.  There are some PPAs of 2.4, but these aren't maintained
with security updates, nor do they support mod_php.

** Affects: apache2 (Ubuntu)
     Importance: Wishlist
         Status: Fix Released

** Affects: apache2 (Ubuntu Precise)
     Importance: Wishlist
         Status: Confirmed

** Affects: apache2 (Debian)
     Importance: Unknown
         Status: Fix Released


** Tags: precise
-- 
apache2.2 SSL has no forward-secrecy: need ECDHE keys
https://bugs.launchpad.net/bugs/1197884
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report.