httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <>
Subject Possible mod_ssl's backports to 2.2.x? (was: Looking ahead to 2.4.13 / 2.2.30)
Date Tue, 05 May 2015 13:14:34 GMT
I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327)
for backport to 2.2.x (in reverse order):

  *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
     larger keys and support up to 8192-bit keys.  [Ruediger Pluem,
     Joe Orton]

  *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
     allowing custom parameters to be configured via SSLCertificateFile,
     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
     Unless custom parameters are configured, the standardized parameters
     are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]

  *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]

  *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
     keys, and unconditionally disable aNULL, eNULL and EXP ciphers
     (not overridable via SSLCipherSuite). [Kaspar Brand]

or at least partly.

Beyond the (problematic?) requirement on OpenSSL 0.9.8a (discussed
below), and what may look like an improvement only (first one), there
are also security considerations:
- ephemeral DH keys (for EDH ciphers) are currently limited to 1024
bits in 2.2.x, so with 2048 bits or more certificates (quite
recommended today), one should use its own dhparams for (E)DH ciphers,
- ecparams loadable from certificate allow to configure the curve/key
(plus SSL_CTX_set_ecdh_auto() when openssl >= 1.0.2),
- export grade ciphers (removed from openssl's maintained versions)
are still in use with default/general configurations (FREAK, ...).

Regarding requirement on OpenSSL 0.9.8a (what's the actual requirement
in 2.2.x?), if that's really a stopper, it only concerns the use of
get_rfc{2409,3526}_prime_{1024,2048,..}() introduced in 0.9.8a
(AFAICT), and we could eventually include (statically) that primes in
the code for versions < 0.9.8a.
But is there real 2.2.x user with OpenSSL < 0.9.8a?

Also, those changes are effective since 2.4.7, and hence are quite
largely tested already.

Any pros/cons/comments before I try to resolve (hopefully) small conflicts?


View raw message