Bug 1138159

Summary: Backport ECDH support to httpd
Product: Red Hat Software Collections Reporter: Ingo Weiss <iweiss>
Component: httpdAssignee: Jan Kaluža <jkaluza>
Status: CLOSED ERRATA QA Contact: Ondřej Pták <optak>
Severity: medium Docs Contact:
Priority: unspecified    
Version: httpd24CC: jkaluza, jorton, kanderso, optak, redhat, rmainz
Target Milestone: ---   
Target Release: 2.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd24-httpd-2.4.10-1.el7 httpd24-httpd-2.4.10-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1035818 Environment:
Last Closed: 2015-06-04 09:12:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 11 Ondřej Pták 2015-04-15 14:46:05 UTC 
On rhel-7 ECDH support was even in version httpd24-httpd-devel-2.4.6-25.el7 (built against newer openssl)
On rhel-6 ECDH support was successfully added

httpd24-httpd-2.4.6-22.el6
==========================
something like this for every cipher variant tested:

:: [   FAIL   ] :: Connecting to localhost with openssl (Expected 0, got 1)
:: [   FAIL   ] :: File '/var/tmp/tmp.MoZGzsAwMU' should contain 'Cipher is ECDHE-RSA-AES256-SHA384' 
:: [   FAIL   ] :: File '/var/tmp/tmp.MoZGzsAwMU' should contain 'Server Temp Key: ECDH' 
:: [   FAIL   ] :: File '/var/tmp/tmp.MoZGzsAwMU' should contain 'Verify return code: 0' 
:: [   FAIL   ] :: File '/var/tmp/tmp.MoZGzsAwMU' should not contain 'fail' 
:: [   FAIL   ] :: File '/var/tmp/tmp.MoZGzsAwMU' should not contain 'error:' 

httpd24-httpd-2.4.12-3.el6
==========================
test passed for all these cipher variants (log just from one):
ECDHE-RSA-AES128-GCM-SHA256   ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384       ECDHE-RSA-AES256-SHA
ECDHE-RSA-DES-CBC3-SHA        ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-AES128-GCM-SHA256(curve=secp384r1)
ECDHE-ECDSA-AES128-GCM-SHA256(curve=secp521r1)
ECDHE-ECDSA-AES128-GCM-SHA256(curve=prime256v1)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Testing httpd with ECDH, cipher ECDHE-RSA-AES128-GCM-SHA256
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Connecting to localhost with openssl (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/tmp.LyN7vd9DbS' should contain 'Cipher is ECDHE-RSA-AES128-GCM-SHA256' 
:: [   PASS   ] :: File '/var/tmp/tmp.LyN7vd9DbS' should contain 'Server Temp Key: ECDH' 
:: [   PASS   ] :: File '/var/tmp/tmp.LyN7vd9DbS' should contain 'Verify return code: 0' 
:: [   PASS   ] :: File '/var/tmp/tmp.LyN7vd9DbS' should not contain 'fail' 
:: [   PASS   ] :: File '/var/tmp/tmp.LyN7vd9DbS' should not contain 'error:'
Comment 13 errata-xmlrpc 2015-06-04 09:12:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1056.html