Hi, As Apache 2.2.x is not providing a way to use a self-generated set of DH params via configuration directive (lack of the "SSLOpenSSLConfCmd" parameter), I've created a workaround, that generates a set of DH params during compile time, so that apache22 is still able to follow the recommendation of not using the default set of 512/1024bit DH params, that is shipped with Apache per default. I'd already published the workaround on https://bitbucket.org/snippets/wneessen/grb8 where someone suggested to submit a PR for FreeBSD, so here it is. I wasn't able to figure, how to attach 2 files to this PR, so I am following the documentation at https://www.freebsd.org/doc/en_US.ISO8859-1/articles/problem-reports/pr-writing.html and provide the URLs. Patch for www/apache2/Makefile: https://bitbucket.org/api/2.0/snippets/wneessen/grb8/9ce0ecd2a060d734a87a8ce63524bbcbe67c4a7c/files/Makefile.patch Patch for Apache 2.2.x's modules/ssl/ssl_engine_dh.c: https://bitbucket.org/api/2.0/snippets/wneessen/grb8/9ce0ecd2a060d734a87a8ce63524bbcbe67c4a7c/files/ssl_engine_dh_c.patch Hope that helps, Winni
Created attachment 157602 [details] patch deliver without curling. I dropped this patch in the ports files/ directory, it might be the right way of doing it. Probably it should be extended with the 4096bit thing.
Logjam workaround was committed to the www/apache22 port a few weeks ago https://svnweb.freebsd.org/ports/head/www/apache22/Makefile?revision=386904&view=markup
seems the missing piece is to also put it in the stable / security backport branch of freebsd. There's no patch in here: https://svnweb.freebsd.org/ports/branches/2015Q2/www/apache22/Makefile?view=log or https://github.com/freebsd/freebsd-ports/blob/branches/2015Q2/www/apache22/Makefile for the more fancy looks. idk, but it seems the maintainers for those branches somehow weren't informed, or they didn't yet get to it.
Good catch. This should have been MFH especially since it was handled by: With hat: ports-secteam Re-opening
zi, can you use this as a reminder to MFH the Logjam fix to the quarterly branch? Thanks!
A commit references this bug: Author: zi Date: Thu Jun 11 14:21:05 UTC 2015 New revision: 389214 URL: https://svnweb.freebsd.org/changeset/ports/389214 Log: - Merge logjam fix from head - Bump PORTREVISION PR: 200756 With hat: ports-secteam Approved by: ports-secteam MFH: r386904,388386 Changes: _U branches/2015Q2/ branches/2015Q2/www/apache22/Makefile branches/2015Q2/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c