From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] apache: generating unique prime numbers and forbit use of weak DH cipher suites Date: Mon, 01 Jun 2015 14:37:40 +0200 Message-ID: <1433162260.3370.120.camel@ipfire.org> In-Reply-To: <556C0635.1030202@web.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1561547394066867528==" List-Id: --===============1561547394066867528== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Mon, 2015-06-01 at 09:13 +0200, IT Superhack wrote: > Hello Michael, > > Michael Tremer: > > On Sun, 2015-05-31 at 22:11 +0200, Stefan Schantl wrote: > >> Hello Timmothy, > >> > >> thanks for your hard work and sending us the patches. I've > >> noticed you already have read through the "Submiting Patches" > >> guide on the wiki (http://wiki.ipfire.org/devel/submit-patches). > >> > >> In order for an easy apply of your modifications please re-send > >> them to the list with the patchfile attached to the mail. > > > > No, no attachments. > > > > http://wiki.ipfire.org/devel/submit-patches#no_mime_no_links_no_compre > ssion_no_attachments_just_plain_text > As > > > Stefan already estimated, I've read those wiki pages. > But I've uploaded the patch to nopaste.ipfire.org due to cryappy line > breaks done by my mail program (I guess it has something to do with > PGP, but I don't know it for sure.). Yes, most MUAs scramble the content of the emails quite a lot. If you set it to send a text email (which is a must on mailing lists any way) they do not tend to do that any more. It is probably best to use git send-email because of these broken MUAs. > So, if you like, I can attach the patch to an email, but I really > can't guarantee that it arrives correctly. You can try sending emails to yourself to test your setup and look at the result. > > Also no pseudonyms. > What is that supposed to mean? We are legally required to have the real name of the author of a patch and a working email address. The reasons behind that are quite a lot and have been discussed a couple of times on this list. All the big Open Source projects I know require this, too. > > I get that this entire process might be a bit difficult for a start > > but there has been put a lot of thought into it why we are doing it > > this way. > Both aspects are right: It is complicated to clone the git branch, > make patchfiles, working with git (first time!) and so on. But those > things seem to be useful for you developers. Git is really complicated for beginners. Once you get used to it you will never want to use anything else. There are a lot of really nice howtos on the web and YouTube. The patch format is so important because it saves a lot of work at the maintainers' part and you can probably describe best what your patch is supposed to fix and so on. -Michael > > Best regards, > Timmothy Wilson > > > > Best, -Michael > > > >> Thanks in advance, > >> > >> -Stefan > >> > >> > >>> Changes: [1] Forbid the use of weak DH cipher suites in > >>> Apache. [2] Tell Apache to use a custom bunch of prime > >>> numbers. [3] Updated "httpscert" in order to generate those > >>> prime numbers. > >>> > >>> Those changes are supposed to fix a vulnerability called > >>> "logjam" in Apache. "Logjam" is a recently discovered > >>> vulnerability in the Diffie-Hellman-Key-Exchange. Affected are > >>> TLS/SSL connectiones, VPNs and other services which are relying > >>> on DH as well. > >>> > >>> References: [Bug #10856]: > >>> https://bugzilla.ipfire.org/show_bug.cgi?id=10856 [Further > >>> Information]: https://weakdh.org/ [Further Information > >>> (german)]: > >>> http://www.heise.de/security/meldung/Logjam-Attacke-Verschluesselung > -von > >>> > >>> > -zehntausenden-Servern-gefaehrdet-2657502.html > >>> > >>> Please find the patch here: > >>> http://nopaste.ipfire.org/view/r8QWUyQF > >>> > >>> However, the patch can't applied to IPFire systems without > >>> creating unique prime numbers, since the configuration file of > >>> Apache expects the presence of a file called > >>> "/etc/httpd/dhparams.pem", if this one does not exist, Apache > >>> will likely crash. Please make sure to generate prime numbers > >>> by Pakfire during a upgrade: > >>> > >>> /usr/bin/openssl dhparam -out /etc/httpd/dhparams.pem 2048; > >>> > >>> I'm estimating that other software components of IPFire are > >>> still vulnerable to Lojgam (IPSec?). As soon as I have more > >>> information about this, I will roll out new patches. > >>> > >>> Best regards, Timmothy Wilson > >>> _______________________________________________ Development > >>> mailing list Development(a)lists.ipfire.org > >>> http://lists.ipfire.org/mailman/listinfo/development > >> > >> _______________________________________________ Development > >> mailing list Development(a)lists.ipfire.org > >> http://lists.ipfire.org/mailman/listinfo/development > >> > >> > >> _______________________________________________ Development > >> mailing list Development(a)lists.ipfire.org > >> http://lists.ipfire.org/mailman/listinfo/development > --===============1561547394066867528== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlZiRklVQUFvSkVJQjU4UDl2a0FrSEdQd1AvamdJQnNyUWp1OWttaHY5ZnRySlNyU3YK V053NitHNjMyMk0yNWRSZlRzUk9ZRkpGVlFsYkZURUZJNmtTQ2dSVmloUW5ScmdGcm1rZ3ptSlc1 b2dvQlhPbQowa1FqeHdPS2JTb0NWT0NGUHlXTURYZ0dVRGFPZE41MFlWUUlmU2xFUXFkcGhSUTY2 bzhFK2RDdVRIaVYxSDR5CnJWblU3M2hIK29aVWxhNjk5RmkveE9PVlNUSzRkRnJrSWkxazU0MGJJ UVMrRFZWSGpnSS9WTEhHWGU2QnJzZ0cKd3QzV3E5aTRNTWdkZkFRQkIrUWVNTFEwY29adUR5ZGE1 Yi9KU29iRU55K2MrRHlMMU9tSUNlbVJVNDhqWDZKVQo4eXRMVUNsSVRwbmJqTHdxbEtFWVF3Qld5 SXFHWDlZUC8yV29waGpneXlYcnF0OUF4UHlnYlpackFZTFByeUY2CmJkWVB0ejVCSTFIUTFka3VD eEViNEJKeStoc1VpSzNkV0tYUkhkL2lkNk45NWJoV1QzVjBueU5XT0FiOFk2eGMKTWxkVWViYTAx STFBWlJLM1lJcUhJSDhhUG1CdzN3cmplWmE4TW5iZzF4RVZYMU9lVG5ZaTc0cHgySHQ4bEZmcAp1 UjZwbEdaZzZ0OHBIOFdUdGhIZVIxbWo3c090UlBCNi9PQ212T2lwQ3pWaVZGSDBkMkgrU3ZtTFBP UzlVN3MzCk95SytYV0FhR1lnZlVMN2JUMlcwQjJhSTRrT05jL0FOQTlDTk9CcVBBSEp6cDdqRDhx TFV5cGhwU2tJNHZUR0cKSERFNEFKZWo1SGRtUTZlL1RaWmtEMmRraEwrSU1iUFRQMnhUeVlpUkJW bW1JbHByR2psbW1hQkkyRTBzOHVTbApjVmU0MWNnbCthS1VnMUh6Q1VnZAo9ZDlVcAotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============1561547394066867528==--