Re: [PATCH] apache: generating unique prime numbers and forbit use of weak DH cipher suites

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] apache: generating unique prime numbers and forbit use of weak DH cipher suites
Date: Mon, 01 Jun 2015 14:37:40 +0200	[thread overview]
Message-ID: <1433162260.3370.120.camel@ipfire.org> (raw)
In-Reply-To: <556C0635.1030202@web.de>

[-- Attachment #1: Type: text/plain, Size: 4635 bytes --]

On Mon, 2015-06-01 at 09:13 +0200, IT Superhack wrote:
> Hello Michael,
> 
> Michael Tremer:
> > On Sun, 2015-05-31 at 22:11 +0200, Stefan Schantl wrote:
> >> Hello Timmothy,
> >> 
> >> thanks for your hard work and sending us the patches. I've
> >> noticed you already have read through the "Submiting Patches"
> >> guide on the wiki (http://wiki.ipfire.org/devel/submit-patches).
> >> 
> >> In order for an easy apply of your modifications please re-send
> >> them to the list with the patchfile attached to the mail.
> > 
> > No, no attachments.
> > 
> > http://wiki.ipfire.org/devel/submit-patches#no_mime_no_links_no_compre
> ssion_no_attachments_just_plain_text
> As
> > 
> Stefan already estimated, I've read those wiki pages.
> But I've uploaded the patch to nopaste.ipfire.org due to cryappy line
> breaks done by my mail program (I guess it has something to do with
> PGP, but I don't know it for sure.).

Yes, most MUAs scramble the content of the emails quite a lot. If you
set it to send a text email (which is a must on mailing lists any way)
they do not tend to do that any more.

It is probably best to use git send-email because of these broken MUAs.

> So, if you like, I can attach the patch to an email, but I really
> can't guarantee that it arrives correctly.

You can try sending emails to yourself to test your setup and look at
the result.

> > Also no pseudonyms.
> What is that supposed to mean?

We are legally required to have the real name of the author of a patch
and a working email address.

The reasons behind that are quite a lot and have been discussed a couple
of times on this list.

All the big Open Source projects I know require this, too.

> > I get that this entire process might be a bit difficult for a start
> > but there has been put a lot of thought into it why we are doing it
> > this way.
> Both aspects are right: It is complicated to clone the git branch,
> make patchfiles, working with git (first time!) and so on. But those
> things seem to be useful for you developers.

Git is really complicated for beginners. Once you get used to it you
will never want to use anything else. There are a lot of really nice
howtos on the web and YouTube.

The patch format is so important because it saves a lot of work at the
maintainers' part and you can probably describe best what your patch is
supposed to fix and so on.

-Michael

> 
> Best regards,
> Timmothy Wilson
> > 
> > Best, -Michael
> > 
> >> Thanks in advance,
> >> 
> >> -Stefan
> >> 
> >> 
> >>> Changes: [1] Forbid the use of weak DH cipher suites in
> >>> Apache. [2] Tell Apache to use a custom bunch of prime
> >>> numbers. [3] Updated "httpscert" in order to generate those
> >>> prime numbers.
> >>> 
> >>> Those changes are supposed to fix a vulnerability called
> >>> "logjam" in Apache. "Logjam" is a recently discovered
> >>> vulnerability in the Diffie-Hellman-Key-Exchange. Affected are
> >>> TLS/SSL connectiones, VPNs and other services which are relying
> >>> on DH as well.
> >>> 
> >>> References: [Bug #10856]:
> >>> https://bugzilla.ipfire.org/show_bug.cgi?id=10856 [Further
> >>> Information]: https://weakdh.org/ [Further Information
> >>> (german)]: 
> >>> http://www.heise.de/security/meldung/Logjam-Attacke-Verschluesselung
> -von
> >>>
> >>> 
> -zehntausenden-Servern-gefaehrdet-2657502.html
> >>> 
> >>> Please find the patch here:
> >>> http://nopaste.ipfire.org/view/r8QWUyQF
> >>> 
> >>> However, the patch can't applied to IPFire systems without
> >>> creating unique prime numbers, since the configuration file of
> >>> Apache expects the presence of a file called
> >>> "/etc/httpd/dhparams.pem", if this one does not exist, Apache
> >>> will likely crash. Please make sure to generate prime numbers
> >>> by Pakfire during a upgrade:
> >>> 
> >>> /usr/bin/openssl dhparam -out /etc/httpd/dhparams.pem 2048;
> >>> 
> >>> I'm estimating that other software components of IPFire are
> >>> still vulnerable to Lojgam (IPSec?). As soon as I have more
> >>> information about this, I will roll out new patches.
> >>> 
> >>> Best regards, Timmothy Wilson 
> >>> _______________________________________________ Development
> >>> mailing list Development(a)lists.ipfire.org 
> >>> http://lists.ipfire.org/mailman/listinfo/development
> >> 
> >> _______________________________________________ Development
> >> mailing list Development(a)lists.ipfire.org 
> >> http://lists.ipfire.org/mailman/listinfo/development
> >> 
> >> 
> >> _______________________________________________ Development
> >> mailing list Development(a)lists.ipfire.org 
> >> http://lists.ipfire.org/mailman/listinfo/development
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]