Better encryption for Apache 2.2.x in Ubuntu 12.04 LTS / 2015-06-15

2015-06-15 Better encryption for Apache 2.2.x in Ubuntu 12.04 LTS
Reading the changelogs for Ubuntu upgrades is good, since I noticed:
Get:1 Changelog for apache2.2-bin (http://changelogs.ubuntu.com/changelogs/pool/
main/a/apache2/apache2_2.2.22-1ubuntu1.9/changelog) [152 kB]
apache2 (2.2.22-1ubuntu1.9) precise-security; urgency=medium

  * SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers
    (LP: #1197884)
    - debian/patches/ecc_support.patch: add support to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_toolkit_compat.h, modules/ssl/ssl_util.c,
  * SECURITY IMPROVEMENT: add TLSv1.x options to SSLProtocol (LP: #1400473)
    - debian/patches/tls_options.patch: allow specifying later TLSv1.x
      options in modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
      modules/ssl/ssl_private.h.
  * SECURITY IMPROVEMENT: improve ephemeral key handling, including
    allowing DH parameters to be loaded from SSLCertificateFile and
    disabling EXPORT ciphers.
    - debian/patches/ephemeral_key_handling.patch: numerous improvements to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_dh.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h.
It took a bit of digging in Bug #1197884 “apache2.2 SSL has no forward-secrecy: need ECDHE k...” : Bugs : apache2 package : Ubuntu but the decision was made to backport ECDHE handling to mod_ssl in the Apache 2.2.22 package in Ubuntu 12.04 LTS. To be able to use this all you need to generate your own dhparams with:
# openssl dhparam -out dhparam.pem 2048
Where the keysize here (2048 bits) needs to be the same as for the private key. The resulting dhparams in PEM format need to be pasted to the SSLCertificateFile so it ends up looking like:
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
..
-----END DH PARAMETERS-----
This is actually an upgrade and not an update, but as the discussion in the bugreport shows the choice was made to improve overal security in light of recent revelations about the probable capabilities of NSA/GCHQ, better explained in The Logjam (and Another) Vulnerability against Diffie-Hellman Key Exchange - Schneier on Security.

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.55 2021/11/09 13:09:49 koos Exp $ in 0.006484 seconds.