Bug 200756 - [patch] www/apache22: Logjam DH params workaround for Apache 2.2.x due to lack of "SSLOpenSSLConfCmd" directive
Summary: [patch] www/apache22: Logjam DH params workaround for Apache 2.2.x due to lac...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ryan Steinmetz
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2015-06-10 07:11 UTC by Winni Neessen
Modified: 2015-06-11 14:21 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (apache)


Attachments
patch deliver without curling. (1.81 KB, patch)
2015-06-10 08:17 UTC, florian.heigl
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Winni Neessen 2015-06-10 07:11:50 UTC
Hi,

As Apache 2.2.x is not providing a way to use a self-generated set of DH params via configuration directive (lack of the "SSLOpenSSLConfCmd" parameter), I've created a workaround, that generates a set of DH params during compile time, so that apache22 is still able to follow the recommendation of not using the default set of 512/1024bit DH params, that is shipped with Apache per default.

I'd already published the workaround on https://bitbucket.org/snippets/wneessen/grb8 where someone suggested to submit a PR for FreeBSD, so here it is.

I wasn't able to figure, how to attach 2 files to this PR, so I am following the documentation at https://www.freebsd.org/doc/en_US.ISO8859-1/articles/problem-reports/pr-writing.html and provide the URLs.

Patch for www/apache2/Makefile: https://bitbucket.org/api/2.0/snippets/wneessen/grb8/9ce0ecd2a060d734a87a8ce63524bbcbe67c4a7c/files/Makefile.patch
Patch for Apache 2.2.x's modules/ssl/ssl_engine_dh.c: https://bitbucket.org/api/2.0/snippets/wneessen/grb8/9ce0ecd2a060d734a87a8ce63524bbcbe67c4a7c/files/ssl_engine_dh_c.patch

Hope that helps,
Winni
Comment 1 florian.heigl 2015-06-10 08:17:51 UTC
Created attachment 157602 [details]
patch deliver without curling.

I dropped this patch in the ports files/ directory, it might be the right way of doing it.

Probably it should be extended with the 4096bit thing.
Comment 2 Mark Felder freebsd_committer freebsd_triage 2015-06-10 17:25:14 UTC
Logjam workaround was committed to the www/apache22 port a few weeks ago

https://svnweb.freebsd.org/ports/head/www/apache22/Makefile?revision=386904&view=markup
Comment 3 florian.heigl 2015-06-10 20:24:20 UTC
seems the missing piece is to also put it in the stable / security backport branch of freebsd. There's no patch in here:

https://svnweb.freebsd.org/ports/branches/2015Q2/www/apache22/Makefile?view=log or https://github.com/freebsd/freebsd-ports/blob/branches/2015Q2/www/apache22/Makefile for the more fancy looks.

idk, but it seems the maintainers for those branches somehow weren't informed, or they didn't yet get to it.
Comment 4 Mark Felder freebsd_committer freebsd_triage 2015-06-11 02:53:39 UTC
Good catch. This should have been MFH especially since it was handled by:

With hat:	ports-secteam


Re-opening
Comment 5 Mark Felder freebsd_committer freebsd_triage 2015-06-11 02:55:06 UTC
zi, can you use this as a reminder to MFH the Logjam fix to the quarterly branch?


Thanks!
Comment 6 commit-hook freebsd_committer freebsd_triage 2015-06-11 14:21:28 UTC
A commit references this bug:

Author: zi
Date: Thu Jun 11 14:21:05 UTC 2015
New revision: 389214
URL: https://svnweb.freebsd.org/changeset/ports/389214

Log:
  - Merge logjam fix from head
  - Bump PORTREVISION

  PR:		200756
  With hat:	ports-secteam
  Approved by:	ports-secteam
  MFH:		r386904,388386

Changes:
_U  branches/2015Q2/
  branches/2015Q2/www/apache22/Makefile
  branches/2015Q2/www/apache22/files/patch-modules_ssl_ssl__engine__dh.c