From: IT Superhack <itsuperhack@web.de>
To: development@lists.ipfire.org
Subject: Re: [PATCH] apache: generating unique prime numbers and forbit use of weak DH cipher suites
Date: Mon, 01 Jun 2015 09:13:57 +0200 [thread overview]
Message-ID: <556C0635.1030202@web.de> (raw)
In-Reply-To: <1433103512.3370.98.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 3956 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello Michael,
Michael Tremer:
> On Sun, 2015-05-31 at 22:11 +0200, Stefan Schantl wrote:
>> Hello Timmothy,
>>
>> thanks for your hard work and sending us the patches. I've
>> noticed you already have read through the "Submiting Patches"
>> guide on the wiki (http://wiki.ipfire.org/devel/submit-patches).
>>
>> In order for an easy apply of your modifications please re-send
>> them to the list with the patchfile attached to the mail.
>
> No, no attachments.
>
> http://wiki.ipfire.org/devel/submit-patches#no_mime_no_links_no_compre
ssion_no_attachments_just_plain_text
As
>
Stefan already estimated, I've read those wiki pages.
But I've uploaded the patch to nopaste.ipfire.org due to cryappy line
breaks done by my mail program (I guess it has something to do with
PGP, but I don't know it for sure.).
So, if you like, I can attach the patch to an email, but I really
can't guarantee that it arrives correctly.
>
> Also no pseudonyms.
What is that supposed to mean?
>
> I get that this entire process might be a bit difficult for a start
> but there has been put a lot of thought into it why we are doing it
> this way.
Both aspects are right: It is complicated to clone the git branch,
make patchfiles, working with git (first time!) and so on. But those
things seem to be useful for you developers.
Best regards,
Timmothy Wilson
>
> Best, -Michael
>
>> Thanks in advance,
>>
>> -Stefan
>>
>>
>>> Changes: [1] Forbid the use of weak DH cipher suites in
>>> Apache. [2] Tell Apache to use a custom bunch of prime
>>> numbers. [3] Updated "httpscert" in order to generate those
>>> prime numbers.
>>>
>>> Those changes are supposed to fix a vulnerability called
>>> "logjam" in Apache. "Logjam" is a recently discovered
>>> vulnerability in the Diffie-Hellman-Key-Exchange. Affected are
>>> TLS/SSL connectiones, VPNs and other services which are relying
>>> on DH as well.
>>>
>>> References: [Bug #10856]:
>>> https://bugzilla.ipfire.org/show_bug.cgi?id=10856 [Further
>>> Information]: https://weakdh.org/ [Further Information
>>> (german)]:
>>> http://www.heise.de/security/meldung/Logjam-Attacke-Verschluesselung
- -von
>>>
>>>
- -zehntausenden-Servern-gefaehrdet-2657502.html
>>>
>>> Please find the patch here:
>>> http://nopaste.ipfire.org/view/r8QWUyQF
>>>
>>> However, the patch can't applied to IPFire systems without
>>> creating unique prime numbers, since the configuration file of
>>> Apache expects the presence of a file called
>>> "/etc/httpd/dhparams.pem", if this one does not exist, Apache
>>> will likely crash. Please make sure to generate prime numbers
>>> by Pakfire during a upgrade:
>>>
>>> /usr/bin/openssl dhparam -out /etc/httpd/dhparams.pem 2048;
>>>
>>> I'm estimating that other software components of IPFire are
>>> still vulnerable to Lojgam (IPSec?). As soon as I have more
>>> information about this, I will roll out new patches.
>>>
>>> Best regards, Timmothy Wilson
>>> _______________________________________________ Development
>>> mailing list Development(a)lists.ipfire.org
>>> http://lists.ipfire.org/mailman/listinfo/development
>>
>> _______________________________________________ Development
>> mailing list Development(a)lists.ipfire.org
>> http://lists.ipfire.org/mailman/listinfo/development
>>
>>
>> _______________________________________________ Development
>> mailing list Development(a)lists.ipfire.org
>> http://lists.ipfire.org/mailman/listinfo/development
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJVbAY0AAoJEOyLa1C5Eazrg0QH/i9h/jLd8/9V5NBk0penKtsL
UEWEZFvho0LhmIzIEG2PeF7BvNxQt9XWwqJK9Te0NZ2WFD1rYNMyeWXJy1/oAsej
2WG6xIFEfXMXoxiuNVrHwQMSd2qVOcA+2b5VsayuseMP9h197cWyZqTyQtQFWWFE
B8ztprafNIxkmk0bGlaOzTgi5LATpkLwoBTlHNpTOSrsz/vghv6OMPIwdh3YN0rN
lFv089UqsQBMOXLFfPVvGEIdMiL7bUJHDd0CvkxfulzCJwp43DwpBtnY226ZmJYP
aMkmDoHQL9zLwNAuvCIx8zthsz4bubdloJBU8feM6aR430dRHsFkKlYf5z1JgVA=
=tuA9
-----END PGP SIGNATURE-----
next parent reply other threads:[~2015-06-01 7:13 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1433103512.3370.98.camel@ipfire.org>
2015-06-01 7:13 ` IT Superhack [this message]
2015-06-01 12:37 ` Michael Tremer
2015-06-02 16:32 ` IT Superhack
2015-06-02 17:46 ` Michael Tremer
2015-06-03 6:53 ` IT Superhack
2015-06-03 8:27 ` IT Superhack
2015-06-03 8:45 ` Larsen
2015-06-04 16:05 ` Michael Tremer
2015-06-04 19:48 ` IT Superhack
2015-06-05 12:56 ` Michael Tremer
2015-06-05 18:25 ` IT Superhack
2015-06-06 9:09 ` Michael Tremer
2015-06-09 18:29 ` IT Superhack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=556C0635.1030202@web.de \
--to=itsuperhack@web.de \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox