apache2.2 SSL has no forward-secrecy: need ECDHE keys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apache2 Web Server |
Fix Released
|
Wishlist
|
|||
apache2 (Debian) |
Fix Released
|
Unknown
|
|||
apache2 (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
Precise |
Fix Released
|
Wishlist
|
Marc Deslauriers |
Bug Description
In the light of recent revelations about Prism/NSA/GCHQ etc, it is more important than ever to keep SSL secure.
But... as far as I can tell, there exists no combination of SSL cIphers that satisfies all of:
* Resistant to the BEAST attack
* Has Perfect Forward Secrecy
* Is in Apache 2.2
[I'm testing with: https:/
The only solution seems to be to deploy Apache 2.4 (or backport the ECDHE ciphers into the 2.2 package).
Can I suggest therefore that the lack of Apache 2.4 packages represents a serious security vulnerability to people visiting websites hosted on Ubuntu.
This affects every currently released Ubuntu distro (including raring). There is still no pacakge of apache 2.4, nor is there a backport of the ECDHE feature. There are some PPAs of 2.4, but these aren't maintained with security updates, nor do they support mod_php.
information type: | Private Security → Public Security |
Changed in apache2 (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
Changed in apache2 (Debian): | |
status: | Unknown → Fix Released |
Changed in apache2 (Ubuntu Precise): | |
status: | New → Confirmed |
tags: | added: precise |
Changed in apache2 (Ubuntu Precise): | |
importance: | Undecided → Wishlist |
Changed in apache2: | |
importance: | Undecided → Unknown |
status: | New → Unknown |
Changed in apache2: | |
importance: | Unknown → Wishlist |
status: | Unknown → Fix Released |
Created attachment 25714
Allow admin-choosen DH parameters for DHE enabled cipher-modes
In order to be EAL4+ validated for one of our customers, Apache needs to be able to support 2048+ bits group size for Diffie-Hellman parameters. Right now, temporary parameters are 512 and 1024 bits only.
We can still disallow DH at all, leaving only RSA for authentication and pre-master secret encryption, but that's a suboptimal solution, as we then loose forward secrecy.
Adding a 2048 bits DH temporary key into mod_ssl is not possible, since OpenSSL would only ask for a 512/1024 bits one, depending on the "exportability" of the choosen ciper-mode.
This patch adds a new configuration directive, "SSLDHParameter sFile <file>", allowing the administrator to supply its own Diffie-Hellman parameters ("openssl dhparam 2048 > dhparam2048.pem" to generate 2048 bits ones, for example).
If this directive is specified and parameters are found in the supplied file, then these parameters will be used whenever DHE is used to negociate the pre-master secret. If this directive is not used, then it works like it does now, leaving OpenSSL ask mod_ssl for a set of parameters of the desired size (512 or 1024 bits).
We'd like this to be evaluated, discussed, and if possible, applied.
Regards.