Child pages
  • Advanced Apache hints

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Using long non-standard DH groups

This needs Apache 2.4.8 and OpenSSL 1.0.2.

To help fix CVE-2015-4000 or at least reduce the risk:

No Format
openssl dhparam -out dhparams.pem 2048
 
# either ...
$EDITOR /etc/apache2/mods-available/ssl.conf
# Long non-trivial DH group against CVE-2015-4000"
SSLOpenSSLConfCmd DHParameters dhparams.pem
 
# ... or ...
cat dhparams.pem >>www.foobar.com.crt
 
apache2ctl configtest && apache2ctl graceful

To test this, on from a machine client machin with OpenSSL 1.0.2 higher (from openssl.org blog logjam-freak-upcoming-changes):

...