From mboxrd@z Thu Jan 1 00:00:00 1970 From: IT Superhack To: development@lists.ipfire.org Subject: Re: [PATCH] apache: generating unique prime numbers and forbit use of weak DH cipher suites Date: Mon, 01 Jun 2015 09:13:57 +0200 Message-ID: <556C0635.1030202@web.de> In-Reply-To: <1433103512.3370.98.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2808956399855683180==" List-Id: --===============2808956399855683180== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello Michael, Michael Tremer: > On Sun, 2015-05-31 at 22:11 +0200, Stefan Schantl wrote: >> Hello Timmothy, >> >> thanks for your hard work and sending us the patches. I've >> noticed you already have read through the "Submiting Patches" >> guide on the wiki (http://wiki.ipfire.org/devel/submit-patches). >> >> In order for an easy apply of your modifications please re-send >> them to the list with the patchfile attached to the mail. > > No, no attachments. > > http://wiki.ipfire.org/devel/submit-patches#no_mime_no_links_no_compre ssion_no_attachments_just_plain_text As > Stefan already estimated, I've read those wiki pages. But I've uploaded the patch to nopaste.ipfire.org due to cryappy line breaks done by my mail program (I guess it has something to do with PGP, but I don't know it for sure.). So, if you like, I can attach the patch to an email, but I really can't guarantee that it arrives correctly. > > Also no pseudonyms. What is that supposed to mean? > > I get that this entire process might be a bit difficult for a start > but there has been put a lot of thought into it why we are doing it > this way. Both aspects are right: It is complicated to clone the git branch, make patchfiles, working with git (first time!) and so on. But those things seem to be useful for you developers. Best regards, Timmothy Wilson > > Best, -Michael > >> Thanks in advance, >> >> -Stefan >> >> >>> Changes: [1] Forbid the use of weak DH cipher suites in >>> Apache. [2] Tell Apache to use a custom bunch of prime >>> numbers. [3] Updated "httpscert" in order to generate those >>> prime numbers. >>> >>> Those changes are supposed to fix a vulnerability called >>> "logjam" in Apache. "Logjam" is a recently discovered >>> vulnerability in the Diffie-Hellman-Key-Exchange. Affected are >>> TLS/SSL connectiones, VPNs and other services which are relying >>> on DH as well. >>> >>> References: [Bug #10856]: >>> https://bugzilla.ipfire.org/show_bug.cgi?id=10856 [Further >>> Information]: https://weakdh.org/ [Further Information >>> (german)]: >>> http://www.heise.de/security/meldung/Logjam-Attacke-Verschluesselung - -von >>> >>> - -zehntausenden-Servern-gefaehrdet-2657502.html >>> >>> Please find the patch here: >>> http://nopaste.ipfire.org/view/r8QWUyQF >>> >>> However, the patch can't applied to IPFire systems without >>> creating unique prime numbers, since the configuration file of >>> Apache expects the presence of a file called >>> "/etc/httpd/dhparams.pem", if this one does not exist, Apache >>> will likely crash. Please make sure to generate prime numbers >>> by Pakfire during a upgrade: >>> >>> /usr/bin/openssl dhparam -out /etc/httpd/dhparams.pem 2048; >>> >>> I'm estimating that other software components of IPFire are >>> still vulnerable to Lojgam (IPSec?). As soon as I have more >>> information about this, I will roll out new patches. >>> >>> Best regards, Timmothy Wilson >>> _______________________________________________ Development >>> mailing list Development(a)lists.ipfire.org >>> http://lists.ipfire.org/mailman/listinfo/development >> >> _______________________________________________ Development >> mailing list Development(a)lists.ipfire.org >> http://lists.ipfire.org/mailman/listinfo/development >> >> >> _______________________________________________ Development >> mailing list Development(a)lists.ipfire.org >> http://lists.ipfire.org/mailman/listinfo/development -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJVbAY0AAoJEOyLa1C5Eazrg0QH/i9h/jLd8/9V5NBk0penKtsL UEWEZFvho0LhmIzIEG2PeF7BvNxQt9XWwqJK9Te0NZ2WFD1rYNMyeWXJy1/oAsej 2WG6xIFEfXMXoxiuNVrHwQMSd2qVOcA+2b5VsayuseMP9h197cWyZqTyQtQFWWFE B8ztprafNIxkmk0bGlaOzTgi5LATpkLwoBTlHNpTOSrsz/vghv6OMPIwdh3YN0rN lFv089UqsQBMOXLFfPVvGEIdMiL7bUJHDd0CvkxfulzCJwp43DwpBtnY226ZmJYP aMkmDoHQL9zLwNAuvCIx8zthsz4bubdloJBU8feM6aR430dRHsFkKlYf5z1JgVA= =tuA9 -----END PGP SIGNATURE----- --===============2808956399855683180==--