Better encryption for Apache 2.2.x in Ubuntu 12.04 LTS / 2015-06-15

2015-06-15 Better encryption for Apache 2.2.x in Ubuntu 12.04 LTS 4 years ago
Reading the changelogs for Ubuntu upgrades is good, since I noticed:
Get:1 Changelog for apache2.2-bin (http://changelogs.ubuntu.com/changelogs/pool/
main/a/apache2/apache2_2.2.22-1ubuntu1.9/changelog) [152 kB]
apache2 (2.2.22-1ubuntu1.9) precise-security; urgency=medium

  * SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers
    (LP: #1197884)
    - debian/patches/ecc_support.patch: add support to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_toolkit_compat.h, modules/ssl/ssl_util.c,
  * SECURITY IMPROVEMENT: add TLSv1.x options to SSLProtocol (LP: #1400473)
    - debian/patches/tls_options.patch: allow specifying later TLSv1.x
      options in modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
      modules/ssl/ssl_private.h.
  * SECURITY IMPROVEMENT: improve ephemeral key handling, including
    allowing DH parameters to be loaded from SSLCertificateFile and
    disabling EXPORT ciphers.
    - debian/patches/ephemeral_key_handling.patch: numerous improvements to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_dh.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h.
It took a bit of digging in Bug #1197884 “apache2.2 SSL has no forward-secrecy: need ECDHE k...” : Bugs : apache2 package : Ubuntu but the decision was made to backport ECDHE handling to mod_ssl in the Apache 2.2.22 package in Ubuntu 12.04 LTS. To be able to use this all you need to generate your own dhparams with:
# openssl dhparam -out dhparam.pem 2048
Where the keysize here (2048 bits) needs to be the same as for the private key. The resulting dhparams in PEM format need to be pasted to the SSLCertificateFile so it ends up looking like:
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
..
-----END DH PARAMETERS-----
This is actually an upgrade and not an update, but as the discussion in the bugreport shows the choice was made to improve overal security in light of recent revelations about the probable capabilities of NSA/GCHQ, better explained in The Logjam (and Another) Vulnerability against Diffie-Hellman Key Exchange - Schneier on Security.

Tags: , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004482 seconds.