Bugzilla – Bug 931723
VUL-1: apache2: The Logjam Attack / weakdh.org
Last modified: 2017-07-18 14:51:57 UTC
+++ This bug was initially created as a clone of Bug #931600 +++
The apache 2.2.12 version in SLE11 has:
selection of either dh512 or dh1024 parameter, depending on server key size.
So it usually will select 1024 bit keys.
A dhparam override option does not exist currently (there is one, but it is not hooked up in the config framework at this time).
apache 2.4 in SLE12
A SSLCertificateFile statement can be used for specifying DH Params. (untested, just source code checking)
actually for SLE12:
create the dhparams with e.g.:
openssl dhparam -out dhparams.pem 2048
then _append_ this to the server certicate file.
cat dhparams.pem >> /etc/apache2/ssl.crt/server.crt
Note that if apache2 on SLE11 already has the export ciphers disabled, it is not be affected by the DHE_EXPORT downgrade attack either.
It will just use the not-so-unique 1024bit group.
Just a question on behalf of the customer whether we have any ETA when the patch is supposed to be released? Thank you
I am sorry to ask you again, anyway, do we have any dates when the patch is supposed to be released?
(In reply to Marcus Meissner from comment #3)
> actually for SLE12:
> create the dhparams with e.g.:
> openssl dhparam -out dhparams.pem 2048
> then _append_ this to the server certicate file.
> cat dhparams.pem >> /etc/apache2/ssl.crt/server.crt
This works also on RHEL and CentOS 6 with Apache 2.2.15.
Seems it can be patched for Apache 2.2 for older releases than SLE12?
(In reply to Wolfgang Rosenauer from comment #8)
> (In reply to Marcus Meissner from comment #3)
> > then _append_ this to the server certicate file.
> This works also on RHEL and CentOS 6 with Apache 2.2.15.
> Seems it can be patched for Apache 2.2 for older releases than SLE12?
At the moment it does not seem possible to get a A rating on www.ssllabs.com/ssltest using Apache on OpenSUSE 13.1 based server
Although B is not bad*, we would really appreciate a fix for apache2-2.4 as included in OS13.1. Especially as it seems that 13.1 will be the next Evergreen
*).. but all my friends runs Ubuntu's with an A rating :-/
I have OpenSuSE-13.1 with the stock apache2-2.4.6-6.47.1 and
openssl-1.0.1k-11.72.1 . In responding to Logjam (CVE-2015-4000), I'm
very tempted to upgrade to apache2-2.4.12 from the OpenSuSE-13.1 Apache
sub-repo, and to install openssl-1.0.2 from Tumbleweed (if no dependency
problems) or one of the community developers with 13.1 packages. What
holds me back is, future security patches will use the stock versions as
a base, and if I make these upgrades I will miss future patches for
other issues until probably the OpenSuSE version after 13.2, which is a
very big negative factor.
So I'd like to request that the stock apache2 for OpenSuSE-13.1 should
gain the ability to use locally generated Diffie-Hellman parameters,
either by backporting or by upgrading the version.
As for which patch to backport, the one from apache-2.4.7 appears to make
the smallest code changes, and will work with openssl-0.9.8. But the
sysadmin needs to append the DH parameters to his host certificate,
which is a problem if he's ultra-paranoid and changes them on a
schedule, or if the host cert is replaced the DH parameters may be
forgotten. Also I'm using a concatenated file with the key, cert, and
(intermediate) CAs in that order. Some guidance would be appreciated:
should the DH params come after the host cert, or at the end of the
The patch from apache-2.4.8 that introduces the SSLOpenSSLConfCmd
DHParameters directive is going to be a whole lot easier for the
sysadmin, but more disruptive for the distro, since it requires
advancing to openssl-1.0.2. But perhaps the security team thinks an
eventual transition to 1.0.2 is inevitable. As the sysadmin, I would
prefer this backport or version upgrade.
the transition to 1.0.2 is done in factory and there all should be fine.
also 13.2 is good.
I am currently trying out to just diff modules/ssl/ between 13.1 and 13.2, apply that on top of 13.2 and submit it.
if you are curious
Created attachment 641266 [details]
patch for opensuse 13.1.
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-08-07.
When done, reassign the bug to email@example.com.
This is an autogenerated message for OBS integration:
This bug (931723) was mentioned in
https://build.opensuse.org/request/show/322025 Factory / apache2
Submitted to openSUSE 13.2: https://build.opensuse.org/request/show/333177
Will this also be fixed in openSUSE 13.1 which is also currently in support?
openSUSE-SU-2015:1684-1: An update that fixes three vulnerabilities is now available.
Category: security (moderate)
Bug References: 931723,938723,938728
CVE References: CVE-2015-3183,CVE-2015-3185,CVE-2015-4000
openSUSE 13.2 (src): apache2-2.4.10-28.1
openSUSE 13.1 (src): apache2-2.4.6-6.50.1
SUSE-SU-2015:1851-1: An update that solves four vulnerabilities and has 9 fixes is now available.
Category: security (moderate)
Bug References: 444878,869790,911159,915666,927845,930228,931002,931723,938723,938728,939516,949766,949771
CVE References: CVE-2014-8111,CVE-2015-3183,CVE-2015-3185,CVE-2015-4000
SUSE Linux Enterprise Software Development Kit 12 (src): apache2-2.4.10-14.10.1
SUSE Linux Enterprise Server 12 (src): apache2-2.4.10-14.10.1, apache2-mod_auth_kerb-5.4-2.4.1, apache2-mod_jk-1.2.40-2.6.1, apache2-mod_security2-2.8.0-3.4.1
SUSE Enterprise Storage 1.0 (src): apache2-mod_fastcgi-2.4.7-3.4.1
*** Bug 957931 has been marked as a duplicate of this bug. ***
everything fixed and released.