## Workaround to change default 512/1024bit DH parameters in Apache 2.2 to 2048/3072bit
##
## This has been tested with Apache httpd-2.2.29 and checked via OpenSSL 1.0.2's s_client
## => openssl s_client -connect some.host.com:443 -tls1 -msg
## ===> Server Temp Key: DH, 3072 bits
##
## No waranty is given, that this workaround really fixes the issue

1.  Download latest Apache 2.2 sources (2.2.29)
2.  Change into the sources directory
    cd httpd-2.2.29
3.  Apply the attached patch:
    patch -p0 < ssl_engine_dh_c.patch
4.  Change directory to "modules/ssl"
    cd modules/ssl/
5.  Regenerate the DH params in ssl_engine_dh.c using the (modified) embedded perl script
    perl ssl_engine_dh.c
6.  Wait...
7.  If successfully done, change back to the root of the Apache sources
    cd ../..
8.  (Re-)compile Apache
9.  Install the newly compiled Apache
10. Restart Apache

Done.

## If you are using FreeBSD, there is also a patch for the /usr/ports/www/apache22
## Makefile, that will take care of the patching process. Not nice, but it works.

--- /var/tmp/Makefile   2015-05-20 21:33:49.000000000 +0200
+++ /usr/jails/basejail/usr/ports/www/apache22/Makefile 2015-05-20 21:13:17.000000000 +0200
@@ -134,2 +134,6 @@
        @${FIND} ${WRKSRC} -type f \( -name 'NWGNU*' -o -name '*.ds?' -o -name '*.dep' -o -name '*.mak' -o -name '*.win' \) -delete
+# patch the dh params
+       @/usr/local/bin/curl -o /var/tmp/ssl_engine_dh_c.patch https://bitbucket.org/api/2.0/snippets/wneessen/grb8/0149fefa6cb22ef4d967433da49a60057599b67c/files/ssl_engine_dh_c.patch
+       @cd ${WRKSRC} && /usr/bin/patch -p0 </var/tmp/ssl_engine_dh_c.patch
+       @cd ${WRKSRC}/modules/ssl && ${PERL} ssl_engine_dh.c

--- /var/tmp/httpd-2.2.29/modules/ssl/ssl_engine_dh.c   2006-07-12 03:38:44.000000000 +0000
+++ modules/ssl/ssl_engine_dh.c 2015-05-20 15:25:17.610098218 +0000
@@ -104,8 +104,8 @@
 
-    if (nKeyLen == 512)
-        dh = get_dh512();
-    else if (nKeyLen == 1024)
-        dh = get_dh1024();
+    if (nKeyLen == 2048)
+        dh = get_dh2048();
+    else if (nKeyLen == 3072)
+        dh = get_dh3072();
     else
-        dh = get_dh1024();
+        dh = get_dh3072();
     return dh;
@@ -153,3 +153,3 @@
 #   generate the DH parameters
-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
+print "1. Generate 2048 and 3072 bit Diffie-Hellman parameters (p, g)\n";
 my $rand = '';
@@ -163,4 +163,4 @@
 $rand = "-rand $rand" if ($rand ne '');
-system("openssl gendh $rand -out dh512.pem 512");
-system("openssl gendh $rand -out dh1024.pem 1024");
+system("openssl gendh $rand -out dh2048.pem 2048");
+system("openssl gendh $rand -out dh3072.pem 3072");
 
@@ -168,6 +168,6 @@
 my $dhinfo = '';
-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
+open(FP, "openssl dh -noout -text -in dh2048.pem |") || die;
 $dhinfo .= $_ while (<FP>);
 close(FP);
-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
+open(FP, "openssl dh -noout -text -in dh3072.pem |") || die;
 $dhinfo .= $_ while (<FP>);
@@ -179,6 +179,6 @@
 my $dhsource = '';
-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
+open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die;
 $dhsource .= $_ while (<FP>);
 close(FP);
-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
+open(FP, "openssl dh -noout -C -in dh3072.pem | indent | expand |") || die;
 $dhsource .= $_ while (<FP>);
@@ -205,4 +205,4 @@
 #   cleanup
-unlink("dh512.pem");
-unlink("dh1024.pem");
+unlink("dh2048.pem");
+unlink("dh3072.pem");