Snippets

Winni Neessen grb8: Untitled snippet

You are viewing an old version of this snippet. View the current version.
Revised by Winni Neessen 0149fef
README.txt
Raw 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
## Workaround to change default 512/1024bit DH parameters in Apache 2.2 to 2048/3072bit
##
## This has been tested with Apache httpd-2.2.29 and checked via OpenSSL 1.0.2's s_client
## => openssl s_client -connect some.host.com:443 -tls1 -msg
## ===> Server Temp Key: DH, 3072 bits
##
## No waranty is given, that this workaround really fixes the issue

1.  Download latest Apache 2.2 sources (2.2.29)
2.  Change into the sources directory
    cd httpd-2.2.29
3.  Apply the attached patch:
    patch -p0 < ssl_engine_dh_c.patch
4.  Change directory to "modules/ssl"
    cd modules/ssl/
5.  Regenerate the DH params in ssl_engine_dh.c using the (modified) embedded perl script
    perl ssl_engine_dh.c
6.  Wait...
7.  If successfully done, change back to the root of the Apache sources
    cd ../..
8.  (Re-)compile Apache
9.  Install the newly compiled Apache
10. Restart Apache

Done.
ssl_engine_dh_c.patch
Raw 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
--- /var/tmp/httpd-2.2.29/modules/ssl/ssl_engine_dh.c   2006-07-12 03:38:44.000000000 +0000
+++ modules/ssl/ssl_engine_dh.c 2015-05-20 15:25:17.610098218 +0000
@@ -104,8 +104,8 @@
 
-    if (nKeyLen == 512)
-        dh = get_dh512();
-    else if (nKeyLen == 1024)
-        dh = get_dh1024();
+    if (nKeyLen == 2048)
+        dh = get_dh2048();
+    else if (nKeyLen == 3072)
+        dh = get_dh3072();
     else
-        dh = get_dh1024();
+        dh = get_dh3072();
     return dh;
@@ -153,3 +153,3 @@
 #   generate the DH parameters
-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
+print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n";
 my $rand = '';
@@ -163,4 +163,4 @@
 $rand = "-rand $rand" if ($rand ne '');
-system("openssl gendh $rand -out dh512.pem 512");
-system("openssl gendh $rand -out dh1024.pem 1024");
+system("openssl gendh $rand -out dh2048.pem 2048");
+system("openssl gendh $rand -out dh3072.pem 3072");
 
@@ -168,6 +168,6 @@
 my $dhinfo = '';
-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
+open(FP, "openssl dh -noout -text -in dh2048.pem |") || die;
 $dhinfo .= $_ while (<FP>);
 close(FP);
-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
+open(FP, "openssl dh -noout -text -in dh3072.pem |") || die;
 $dhinfo .= $_ while (<FP>);
@@ -179,6 +179,6 @@
 my $dhsource = '';
-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
+open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die;
 $dhsource .= $_ while (<FP>);
 close(FP);
-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
+open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die;
 $dhsource .= $_ while (<FP>);
@@ -205,4 +205,4 @@
 #   cleanup
-unlink("dh512.pem");
-unlink("dh1024.pem");
+unlink("dh2048.pem");
+unlink("dh3072.pem");
HTTPS SSH

You can clone a snippet to your computer for local editing. Learn more.