Quantcast

openSUSE 13.1 and weakdh.org

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

openSUSE 13.1 and weakdh.org

Tobias Hennerich
Hi,

we have several webservers using apache and openSUSE 13.1.

https://www.ssllabs.com/ssltest/ rates these systems with an overall
rating "B", because "/This server supports weak Diffie-Hellman (DH) key
exchange parameters./".

The recommendations on https://weakdh.org/sysadmin.html can not be used
because the apache directive SSLOpenSSLConfCmd needs apache 2.4.8 and
openSUSE 13.1 is using 2.4.6. The other suggestion to append the
DHparams to the end of the certificate file does also not work, because
you need apache 2.4.7 for that.

I found ticket https://bugzilla.suse.com/show_bug.cgi?id=931723 from May
2015 in Status "NEW". There is a comment from "/Swamp Workflow
Management ////2015-10-06 07:09:35 UTC/", that there should be a fix for
openSUSE 13.1 with apache2-2.4.6-6.50.1, but a "rpm -q --changelog
apache2" does not mention this problem and the various patches of the
src-rpm do not match, too.
/
/Any suggestions?

Best regards       Tobias

--
T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
http://www.hennerich.de/                Amtsgericht Stuttgart, HRB 281482

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openSUSE 13.1 and weakdh.org

Tobias Hennerich
Hi,

after one week no response to my mail at all :-(

Is the answer too obvious or is the topic too exotic? Or is
opensuse-security just the wrong mailing list?

Kind regards    Tobias

--
T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
http://www.hennerich.de/               Amtsgericht Stuttgart, HRB 281482

Am 17.11.2015 um 17:32 schrieb Tobias Hennerich:

> Hi,
>
> we have several webservers using apache and openSUSE 13.1.
>
> https://www.ssllabs.com/ssltest/ rates these systems with an overall
> rating "B", because "/This server supports weak Diffie-Hellman (DH)
> key exchange parameters./".
>
> The recommendations on https://weakdh.org/sysadmin.html can not be
> used because the apache directive SSLOpenSSLConfCmd needs apache 2.4.8
> and openSUSE 13.1 is using 2.4.6. The other suggestion to append the
> DHparams to the end of the certificate file does also not work,
> because you need apache 2.4.7 for that.
>
> I found ticket https://bugzilla.suse.com/show_bug.cgi?id=931723 from
> May 2015 in Status "NEW". There is a comment from "/Swamp Workflow
> Management ////2015-10-06 07:09:35 UTC/", that there should be a fix
> for openSUSE 13.1 with apache2-2.4.6-6.50.1, but a "rpm -q --changelog
> apache2" does not mention this problem and the various patches of the
> src-rpm do not match, too.
>
> Any suggestions?
>
> Best regards       Tobias
>

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openSUSE 13.1 and weakdh.org

Marcus Meissner
Hi,

I have read it. The patch is just hard to backport sadly.

Ciao, Marcus
On Tue, Nov 24, 2015 at 02:43:36PM +0100, Tobias Hennerich wrote:

> Hi,
>
> after one week no response to my mail at all :-(
>
> Is the answer too obvious or is the topic too exotic? Or is
> opensuse-security just the wrong mailing list?
>
> Kind regards    Tobias
>
> --
> T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
> Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
> Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
> http://www.hennerich.de/               Amtsgericht Stuttgart, HRB 281482
>
> Am 17.11.2015 um 17:32 schrieb Tobias Hennerich:
> >Hi,
> >
> >we have several webservers using apache and openSUSE 13.1.
> >
> >https://www.ssllabs.com/ssltest/ rates these systems with an
> >overall rating "B", because "/This server supports weak
> >Diffie-Hellman (DH) key exchange parameters./".
> >
> >The recommendations on https://weakdh.org/sysadmin.html can not be
> >used because the apache directive SSLOpenSSLConfCmd needs apache
> >2.4.8 and openSUSE 13.1 is using 2.4.6. The other suggestion to
> >append the DHparams to the end of the certificate file does also
> >not work, because you need apache 2.4.7 for that.
> >
> >I found ticket https://bugzilla.suse.com/show_bug.cgi?id=931723
> >from May 2015 in Status "NEW". There is a comment from "/Swamp
> >Workflow Management ////2015-10-06 07:09:35 UTC/", that there
> >should be a fix for openSUSE 13.1 with apache2-2.4.6-6.50.1, but a
> >"rpm -q --changelog apache2" does not mention this problem and the
> >various patches of the src-rpm do not match, too.
> >
> >Any suggestions?
> >
> >Best regards       Tobias
> >
>
> --
> To unsubscribe, e-mail: [hidden email]
> To contact the owner, e-mail: [hidden email]
>

--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <[hidden email]>
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openSUSE 13.1 and weakdh.org

Tobias Hennerich
Hi Marcus,

thank you for your mail.

So the comment #21 from "swamp workflow management" in ticket 931723 is
just wrong (at least concerning 13.1) ?

Viele Grüße     Tobias

--
T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
http://www.hennerich.de/               Amtsgericht Stuttgart, HRB 281482

Am 24.11.2015 um 15:00 schrieb Marcus Meissner:

> Hi,
>
> I have read it. The patch is just hard to backport sadly.
>
> Ciao, Marcus
> On Tue, Nov 24, 2015 at 02:43:36PM +0100, Tobias Hennerich wrote:
>> Hi,
>>
>> after one week no response to my mail at all :-(
>>
>> Is the answer too obvious or is the topic too exotic? Or is
>> opensuse-security just the wrong mailing list?
>>
>> Kind regards    Tobias
>>
>> --
>> T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
>> Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
>> Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
>> http://www.hennerich.de/               Amtsgericht Stuttgart, HRB 281482
>>
>> Am 17.11.2015 um 17:32 schrieb Tobias Hennerich:
>>> Hi,
>>>
>>> we have several webservers using apache and openSUSE 13.1.
>>>
>>> https://www.ssllabs.com/ssltest/ rates these systems with an
>>> overall rating "B", because "/This server supports weak
>>> Diffie-Hellman (DH) key exchange parameters./".
>>>
>>> The recommendations on https://weakdh.org/sysadmin.html can not be
>>> used because the apache directive SSLOpenSSLConfCmd needs apache
>>> 2.4.8 and openSUSE 13.1 is using 2.4.6. The other suggestion to
>>> append the DHparams to the end of the certificate file does also
>>> not work, because you need apache 2.4.7 for that.
>>>
>>> I found ticket https://bugzilla.suse.com/show_bug.cgi?id=931723
>> >from May 2015 in Status "NEW". There is a comment from "/Swamp
>>> Workflow Management ////2015-10-06 07:09:35 UTC/", that there
>>> should be a fix for openSUSE 13.1 with apache2-2.4.6-6.50.1, but a
>>> "rpm -q --changelog apache2" does not mention this problem and the
>>> various patches of the src-rpm do not match, too.
>>>
>>> Any suggestions?
>>>
>>> Best regards       Tobias
>>>
>> --
>> To unsubscribe, e-mail: [hidden email]
>> To contact the owner, e-mail: [hidden email]
>>

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openSUSE 13.1 and weakdh.org

Sebastian Krahmer-2
In reply to this post by Tobias Hennerich
Hi

Thats strange indeed. According to the BZ track, this problem
should have been addressed. Investigating why this is apparently not
the case with the built rpms...

regards
Sebastian

On Tue, Nov 24, 2015 at 02:43:36PM +0100, Tobias Hennerich wrote:

> Hi,
>
> after one week no response to my mail at all :-(
>
> Is the answer too obvious or is the topic too exotic? Or is
> opensuse-security just the wrong mailing list?
>
> Kind regards    Tobias
>
> --
> T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
> Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
> Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
> http://www.hennerich.de/               Amtsgericht Stuttgart, HRB 281482
>
> Am 17.11.2015 um 17:32 schrieb Tobias Hennerich:
> >Hi,
> >
> >we have several webservers using apache and openSUSE 13.1.
> >
> >https://www.ssllabs.com/ssltest/ rates these systems with an
> >overall rating "B", because "/This server supports weak
> >Diffie-Hellman (DH) key exchange parameters./".
> >
> >The recommendations on https://weakdh.org/sysadmin.html can not be
> >used because the apache directive SSLOpenSSLConfCmd needs apache
> >2.4.8 and openSUSE 13.1 is using 2.4.6. The other suggestion to
> >append the DHparams to the end of the certificate file does also
> >not work, because you need apache 2.4.7 for that.
> >
> >I found ticket https://bugzilla.suse.com/show_bug.cgi?id=931723
> >from May 2015 in Status "NEW". There is a comment from "/Swamp
> >Workflow Management ////2015-10-06 07:09:35 UTC/", that there
> >should be a fix for openSUSE 13.1 with apache2-2.4.6-6.50.1, but a
> >"rpm -q --changelog apache2" does not mention this problem and the
> >various patches of the src-rpm do not match, too.
> >
> >Any suggestions?
> >
> >Best regards       Tobias
> >
>
> --
> To unsubscribe, e-mail: [hidden email]
> To contact the owner, e-mail: [hidden email]

--

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ [hidden email] - SuSE Security Team

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openSUSE 13.1 and weakdh.org

Tobias Hennerich
Hi all,

three weeks later, still no news to this topic. Is there any hope left,
that this problem will be fixed sometime in the future?

Can someone at least update comment 21 of
https://bugzilla.suse.com/show_bug.cgi?id=931723 referring to 13.1 ?
This is just plain wrong...

Regards / Viele Grüße         Tobias Hennerich

--
T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
http://www.hennerich.de/               Amtsgericht Stuttgart, HRB 281482

Am 24.11.2015 um 15:08 schrieb Sebastian Krahmer:

> Hi
>
> Thats strange indeed. According to the BZ track, this problem
> should have been addressed. Investigating why this is apparently not
> the case with the built rpms...
>
> regards
> Sebastian
>
> On Tue, Nov 24, 2015 at 02:43:36PM +0100, Tobias Hennerich wrote:
>> Hi,
>>
>> after one week no response to my mail at all :-(
>>
>> Is the answer too obvious or is the topic too exotic? Or is
>> opensuse-security just the wrong mailing list?
>>
>> Kind regards    Tobias
>>
>> --
>> T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
>> Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
>> Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
>> http://www.hennerich.de/               Amtsgericht Stuttgart, HRB 281482
>>
>> Am 17.11.2015 um 17:32 schrieb Tobias Hennerich:
>>> Hi,
>>>
>>> we have several webservers using apache and openSUSE 13.1.
>>>
>>> https://www.ssllabs.com/ssltest/ rates these systems with an
>>> overall rating "B", because "/This server supports weak
>>> Diffie-Hellman (DH) key exchange parameters./".
>>>
>>> The recommendations on https://weakdh.org/sysadmin.html can not be
>>> used because the apache directive SSLOpenSSLConfCmd needs apache
>>> 2.4.8 and openSUSE 13.1 is using 2.4.6. The other suggestion to
>>> append the DHparams to the end of the certificate file does also
>>> not work, because you need apache 2.4.7 for that.
>>>
>>> I found ticket https://bugzilla.suse.com/show_bug.cgi?id=931723
>> >from May 2015 in Status "NEW". There is a comment from "/Swamp
>>> Workflow Management ////2015-10-06 07:09:35 UTC/", that there
>>> should be a fix for openSUSE 13.1 with apache2-2.4.6-6.50.1, but a
>>> "rpm -q --changelog apache2" does not mention this problem and the
>>> various patches of the src-rpm do not match, too.
>>>
>>> Any suggestions?
>>>
>>> Best regards       Tobias
>>>
>> --
>> To unsubscribe, e-mail: [hidden email]
>> To contact the owner, e-mail: [hidden email]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openSUSE 13.1 and weakdh.org

Marcus Meissner
HI,

I revived my test patch, if you would like to test it.

This is a ssl backport from 2.4.10 to 2.4.6.

Alternatively we could also remove the 512 and 1024 bit group
and add a fixed 2048 bit group, which would be more minimal.

Ciao, Marcus
On Tue, Dec 15, 2015 at 02:13:32PM +0100, Tobias Hennerich wrote:

> Hi all,
>
> three weeks later, still no news to this topic. Is there any hope
> left, that this problem will be fixed sometime in the future?
>
> Can someone at least update comment 21 of
> https://bugzilla.suse.com/show_bug.cgi?id=931723 referring to 13.1 ?
> This is just plain wrong...
>
> Regards / Viele Grüße         Tobias Hennerich
>
> --
> T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
> Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
> Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
> http://www.hennerich.de/               Amtsgericht Stuttgart, HRB 281482
>
> Am 24.11.2015 um 15:08 schrieb Sebastian Krahmer:
> >Hi
> >
> >Thats strange indeed. According to the BZ track, this problem
> >should have been addressed. Investigating why this is apparently not
> >the case with the built rpms...
> >
> >regards
> >Sebastian
> >
> >On Tue, Nov 24, 2015 at 02:43:36PM +0100, Tobias Hennerich wrote:
> >>Hi,
> >>
> >>after one week no response to my mail at all :-(
> >>
> >>Is the answer too obvious or is the topic too exotic? Or is
> >>opensuse-security just the wrong mailing list?
> >>
> >>Kind regards    Tobias
> >>
> >>--
> >>T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
> >>Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
> >>Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
> >>http://www.hennerich.de/               Amtsgericht Stuttgart, HRB 281482
> >>
> >>Am 17.11.2015 um 17:32 schrieb Tobias Hennerich:
> >>>Hi,
> >>>
> >>>we have several webservers using apache and openSUSE 13.1.
> >>>
> >>>https://www.ssllabs.com/ssltest/ rates these systems with an
> >>>overall rating "B", because "/This server supports weak
> >>>Diffie-Hellman (DH) key exchange parameters./".
> >>>
> >>>The recommendations on https://weakdh.org/sysadmin.html can not be
> >>>used because the apache directive SSLOpenSSLConfCmd needs apache
> >>>2.4.8 and openSUSE 13.1 is using 2.4.6. The other suggestion to
> >>>append the DHparams to the end of the certificate file does also
> >>>not work, because you need apache 2.4.7 for that.
> >>>
> >>>I found ticket https://bugzilla.suse.com/show_bug.cgi?id=931723
> >>>from May 2015 in Status "NEW". There is a comment from "/Swamp
> >>>Workflow Management ////2015-10-06 07:09:35 UTC/", that there
> >>>should be a fix for openSUSE 13.1 with apache2-2.4.6-6.50.1, but a
> >>>"rpm -q --changelog apache2" does not mention this problem and the
> >>>various patches of the src-rpm do not match, too.
> >>>
> >>>Any suggestions?
> >>>
> >>>Best regards       Tobias
> >>>
> >>--
> >>To unsubscribe, e-mail: [hidden email]
> >>To contact the owner, e-mail: [hidden email]
>
> --
> To unsubscribe, e-mail: [hidden email]
> To contact the owner, e-mail: [hidden email]
>

--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <[hidden email]>
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openSUSE 13.1 and weakdh.org

Marcus Meissner
On Tue, Dec 15, 2015 at 03:36:30PM +0100, Marcus Meissner wrote:
> HI,
>
> I revived my test patch, if you would like to test it.

http://download.opensuse.org/repositories/home:/msmeissn:/branches:/openSUSE:/13.1:/Update/openSUSE_13.1_Update/x86_64/
 

> This is a ssl backport from 2.4.10 to 2.4.6.
>
> Alternatively we could also remove the 512 and 1024 bit group
> and add a fixed 2048 bit group, which would be more minimal.
>
> Ciao, Marcus
> On Tue, Dec 15, 2015 at 02:13:32PM +0100, Tobias Hennerich wrote:
> > Hi all,
> >
> > three weeks later, still no news to this topic. Is there any hope
> > left, that this problem will be fixed sometime in the future?
> >
> > Can someone at least update comment 21 of
> > https://bugzilla.suse.com/show_bug.cgi?id=931723 referring to 13.1 ?
> > This is just plain wrong...
> >
> > Regards / Viele Grüße         Tobias Hennerich
> >
> > --
> > T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
> > Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
> > Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
> > http://www.hennerich.de/               Amtsgericht Stuttgart, HRB 281482
> >
> > Am 24.11.2015 um 15:08 schrieb Sebastian Krahmer:
> > >Hi
> > >
> > >Thats strange indeed. According to the BZ track, this problem
> > >should have been addressed. Investigating why this is apparently not
> > >the case with the built rpms...
> > >
> > >regards
> > >Sebastian
> > >
> > >On Tue, Nov 24, 2015 at 02:43:36PM +0100, Tobias Hennerich wrote:
> > >>Hi,
> > >>
> > >>after one week no response to my mail at all :-(
> > >>
> > >>Is the answer too obvious or is the topic too exotic? Or is
> > >>opensuse-security just the wrong mailing list?
> > >>
> > >>Kind regards    Tobias
> > >>
> > >>--
> > >>T+T Hennerich GmbH     /      Zettachring 12a      /     70567 Stuttgart
> > >>Fon:+49(711)720714-0   Fax:+49(711)720714-44    Vanity:+49(700)HENNERICH
> > >>Geschäftsführer: Dipl. Inf. Tobias Hennerich + Dipl. Inf. Timo Hennerich
> > >>http://www.hennerich.de/               Amtsgericht Stuttgart, HRB 281482
> > >>
> > >>Am 17.11.2015 um 17:32 schrieb Tobias Hennerich:
> > >>>Hi,
> > >>>
> > >>>we have several webservers using apache and openSUSE 13.1.
> > >>>
> > >>>https://www.ssllabs.com/ssltest/ rates these systems with an
> > >>>overall rating "B", because "/This server supports weak
> > >>>Diffie-Hellman (DH) key exchange parameters./".
> > >>>
> > >>>The recommendations on https://weakdh.org/sysadmin.html can not be
> > >>>used because the apache directive SSLOpenSSLConfCmd needs apache
> > >>>2.4.8 and openSUSE 13.1 is using 2.4.6. The other suggestion to
> > >>>append the DHparams to the end of the certificate file does also
> > >>>not work, because you need apache 2.4.7 for that.
> > >>>
> > >>>I found ticket https://bugzilla.suse.com/show_bug.cgi?id=931723
> > >>>from May 2015 in Status "NEW". There is a comment from "/Swamp
> > >>>Workflow Management ////2015-10-06 07:09:35 UTC/", that there
> > >>>should be a fix for openSUSE 13.1 with apache2-2.4.6-6.50.1, but a
> > >>>"rpm -q --changelog apache2" does not mention this problem and the
> > >>>various patches of the src-rpm do not match, too.
> > >>>
> > >>>Any suggestions?
> > >>>
> > >>>Best regards       Tobias
> > >>>
> > >>--
> > >>To unsubscribe, e-mail: [hidden email]
> > >>To contact the owner, e-mail: [hidden email]
> >
> > --
> > To unsubscribe, e-mail: [hidden email]
> > To contact the owner, e-mail: [hidden email]
> >
>
> --
> Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <[hidden email]>
> --
> To unsubscribe, e-mail: [hidden email]
> To contact the owner, e-mail: [hidden email]
>

--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <[hidden email]>
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Loading...