Bug 1180223

Summary: mod_ssl uses small DHE parameters for non standard RSA keys
Product: Red Hat Software Collections Reporter: Ondřej Pták <optak>
Component: httpdAssignee: Jan Kaluža <jkaluza>
Status: CLOSED ERRATA QA Contact: Ondřej Pták <optak>
Severity: medium Docs Contact:
Priority: medium    
Version: httpd24CC: hkario, isenfeld, jkaluza, jorton, kanderso, mfrodl, rmainz
Target Milestone: rc   
Target Release: 2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: httpd24-httpd-2.4.12-1.el7 httpd24-httpd-2.4.12-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1073078 Environment:
Last Closed: 2015-06-04 09:13:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1057687, 1071292, 1073078    
Bug Blocks: 1073081    

Comment 1 Ondřej Pták 2015-01-08 16:19:39 UTC 
this should be fixed in httpd 2.4.10 (rhscl-2.0)
Comment 6 Ondřej Pták 2015-05-04 09:11:31 UTC 
httpd24-mod_ssl-2.4.12-6.el7, httpd24-mod_ssl-2.4.12-3.el6
==========================================================
:: [   INFO   ] :: Testing 2047 bit RSA keys with 2048 DHE keys
:: [   PASS   ] :: Command 'openssl req -x509 -newkey rsa:2047 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt -subj /CN=localhost -nodes -batch' (Expected 0, got 0)
:: [   PASS   ] :: Start httpd server (Expected 0, got 0)
:: [   PASS   ] :: Command 'openssl s_client -CAfile /etc/pki/tls/certs/localhost.crt -cipher 'ALL:!ECDH' -connect localhost:443 < request.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/tmp.m4Fl0eo74L' should contain 'Server Temp Key: DH, 2048 bits' 
:: [   PASS   ] :: File '/var/tmp/tmp.m4Fl0eo74L' should contain 'Server public key is 2047 bit'
Comment 8 errata-xmlrpc 2015-06-04 09:13:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1056.html