[Bug 1197884] Re: apache2.2 SSL has no forward-secrecy: need ECDHE keys
Andreas Tauscher
1197884 at bugs.launchpad.net
Mon May 25 21:20:38 UTC 2015
I did not want to wait until this is fixed for apache 2.22 in Ubuntu
12.04
So I took mod_ssl from apache 2.2.29 which supports ECDH.
Additional I removed the 512 and 1024 bit DH parameters from ssl_engine_dh.c and replaced them with 2048 and 3072 bit.
Two DH keys are not needed because libssl in 12.04 never asks for more than 1024 bit so always 3072 are returned. But I realised this afterwards....
You can download my modified mod_ssl from http://download.ict-pros.co.tz/mod_ssl-apache2.22.tar.bz2
Short instructions:
apt-get source apache2
apt-get build-dep apache2
Replace modules/ssl with the modified version.
Run within modules/ssl perl ./ssl_engine_dh.c to generate your own DH parameters.
Build the package. After updates mod_ssl.so will be overwritten so you have to copy your compiled version from debian/apache2.2-bin/usr/lib/apache2/modules/ to /usr/lib/apache2/modules/ and restarting apache.
Andreas
** Attachment added: "mod_ssl from apache 2.2.29 with 2038 and 3072 bit DH parameters"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/+attachment/4404368/+files/mod_ssl-apache2.22.tar.bz2
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need ECDHE keys
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/+subscriptions
More information about the Ubuntu-server-bugs
mailing list