1251796 – Need 2048-bit DH support for JWS HTTPD

Bug 1251796 - Need 2048-bit DH support for JWS HTTPD

Summary: Need 2048-bit DH support for JWS HTTPD

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	JBoss Enterprise Web Server 2
Classification:	JBoss
Component:	httpd
Sub Component:
Version:	2.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	DR01
Target Release:	2.1.1
Assignee:	Jean-frederic Clere
QA Contact:	Michal Karm Babacek
Docs Contact:	Betty Prioux
URL:
Whiteboard:
Depends On:
Blocks:	1338651
TreeView+	depends on / blocked

Reported:	2015-08-10 01:06 UTC by Eiichi Nagai
Modified:	2019-07-11 09:46 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Httpd should be able to use bigger keys for secure connection. Consequence: OpenSSL is updated to version 1.0.2h allowing to append newly generated DH_PARAM key to default certification file localhost.crt. Fix: After installing httpd and running .postinstall script use few more commands to extend default certification file if need. Run openssl provided by zip/rpm package with "<path_to_provided_openssl_folder>/openssl dhparam -out dh_2048.pem 2048" for generating DH_PARAM with 2048-bit key.Content of dh_2048.pem append to localhost.crt created by .postinstall script (httpd/conf.d/ssl.conf should show you proper destination of file). Now start httpd server. Result: Server starts with extended Server Temp Key: DH, 2048 bits. You can verified it by running "<path_to_provided_openssl_folder>/openssl s_client -connect localhost:443 -cipher DHE-RSA-AES256-GCM-SHA384".
Clone Of:
Clones:	1338651 (view as bug list)
Environment:
Last Closed:	2019-06-13 12:09:34 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Eiichi Nagai 2015-08-10 01:06:11 UTC

Description of problem:
The customer needs to set 2048 bit DH on JWS httpd.
It seems that there is the "SSLOpenSSLConfCmd DHParameters" configuration in Apache httpd 2.4.8+, and the DH PARAMETERS can set in Apache httpd 2.4.7+ for 2048 bit DH[1].
However JWS 2.1 is Apache httpd 2.2.26 and JWS 3.0 is Apache httpd 2.4.6[2]. It means that current JWS httpd cannot set 2048 bit DH.

[1] https://weakdh.org/sysadmin.html
~~~
In newer versions of Apache (2.4.8 and newer) and OpenSSL 1.0.2 or later, you can directly specify your DH params file as follows:

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

If you are using Apache with LibreSSL, or Apache 2.4.7 and OpenSSL 0.9.8a or later, you can append the DHparams you generated earlier to the end of your certificate file.
~~~

[2] https://weakdh.org/sysadmin.html

Version-Release number of selected component (if applicable):
JWS 2.1
* If we can accepts this request on JWS 2.1, please also fix JWS 3.0.

Comment 1 Timothy Walsh 2015-08-17 03:06:15 UTC

This seems like a duplicate 

BZ 1238084

and

RHEA-2015:1584

Comment 8 Jean-frederic Clere 2016-06-22 12:14:46 UTC

The update of openssl to 1.0.2h allow to use the dh_param in the certficate file.

Comment 9 Jan Onderka 2016-08-05 10:28:47 UTC

Added Doc-text

Comment 10 PnT Account Manager 2017-12-08 00:03:24 UTC

Employee 'fgoldefu' has left the company.

Note You need to log in before you can comment on or make changes to this bug.