Snippets

Winni Neessen grb8: Untitled snippet

Created by Winni Neessen
View revision

File README.txt Added

  • Ignore whitespace
  • Hide word diff 
+## Workaround to change default 512/1024bit DH parameters in Apache 2.2 to 2048/3072bit
+
+1.  Download latest Apache 2.2 sources (2.2.29)
+2.  Change into the sources directory
+    cd httpd-2.2.29
+3.  Apply the attached patch:
+    patch -p0 < ssl_engine_dh_c.patch
+4.  Change directory to "modules/ssl"
+    cd modules/ssl/
+5.  Regenerate the DH params in ssl_engine_dh.c using the (modified) embedded perl script
+    perl ssl_engine_dh.c
+6.  Wait...
+7.  If successfully done, change back to the root of the Apache sources
+    cd ../..
+8.  (Re-)compile Apache
+9.  Install the newly compiled Apache
+10. Restart Apache
+
+Done.

File ssl_engine_dh_c.patch Added

  • Ignore whitespace
  • Hide word diff 
+--- /var/tmp/httpd-2.2.29/modules/ssl/ssl_engine_dh.c   2006-07-12 03:38:44.000000000 +0000
++++ modules/ssl/ssl_engine_dh.c 2015-05-20 15:25:17.610098218 +0000
+@@ -104,8 +104,8 @@
+ 
+-    if (nKeyLen == 512)
+-        dh = get_dh512();
+-    else if (nKeyLen == 1024)
+-        dh = get_dh1024();
++    if (nKeyLen == 2048)
++        dh = get_dh2048();
++    else if (nKeyLen == 3072)
++        dh = get_dh3072();
+     else
+-        dh = get_dh1024();
++        dh = get_dh3072();
+     return dh;
+@@ -153,3 +153,3 @@
+ #   generate the DH parameters
+-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
++print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n";
+ my $rand = '';
+@@ -163,4 +163,4 @@
+ $rand = "-rand $rand" if ($rand ne '');
+-system("openssl gendh $rand -out dh512.pem 512");
+-system("openssl gendh $rand -out dh1024.pem 1024");
++system("openssl gendh $rand -out dh2048.pem 2048");
++system("openssl gendh $rand -out dh3072.pem 3072");
+ 
+@@ -168,6 +168,6 @@
+ my $dhinfo = '';
+-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh2048.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
++open(FP, "openssl dh -noout -text -in dh3072.pem |") || die;
+ $dhinfo .= $_ while (<FP>);
+@@ -179,6 +179,6 @@
+ my $dhsource = '';
+-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+ close(FP);
+-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
++open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die;
+ $dhsource .= $_ while (<FP>);
+@@ -205,4 +205,4 @@
+ #   cleanup
+-unlink("dh512.pem");
+-unlink("dh1024.pem");
++unlink("dh2048.pem");
++unlink("dh3072.pem");
  2. 1
  3. 2
HTTPS SSH

You can clone a snippet to your computer for local editing. Learn more.