Bug 1251796

Summary: Need 2048-bit DH support for JWS HTTPD
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Eiichi Nagai <enagai>
Component: httpdAssignee: Jean-frederic Clere <jclere>
Status: CLOSED EOL QA Contact: Michal Karm Babacek <mbabacek>
Severity: unspecified Docs Contact: Betty Prioux <bprioux>
Priority: unspecified    
Version: 2.1.0CC: jdoyle, jonderka, jpallich, ksuzumur, mbabacek, pslavice, rsvoboda, twalsh
Target Milestone: DR01   
Target Release: 2.1.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Httpd should be able to use bigger keys for secure connection. Consequence: OpenSSL is updated to version 1.0.2h allowing to append newly generated DH_PARAM key to default certification file localhost.crt. Fix: After installing httpd and running .postinstall script use few more commands to extend default certification file if need. Run openssl provided by zip/rpm package with "<path_to_provided_openssl_folder>/openssl dhparam -out dh_2048.pem 2048" for generating DH_PARAM with 2048-bit key.Content of dh_2048.pem append to localhost.crt created by .postinstall script (httpd/conf.d/ssl.conf should show you proper destination of file). Now start httpd server. Result: Server starts with extended Server Temp Key: DH, 2048 bits. You can verified it by running "<path_to_provided_openssl_folder>/openssl s_client -connect localhost:443 -cipher DHE-RSA-AES256-GCM-SHA384".
 Story Points: ---
Clone Of:
: 1338651 (view as bug list) Environment:
Last Closed: 2019-06-13 12:09:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1338651    

Description Eiichi Nagai 2015-08-10 01:06:11 UTC 
Description of problem:
The customer needs to set 2048 bit DH on JWS httpd.
It seems that there is the "SSLOpenSSLConfCmd DHParameters" configuration in Apache httpd 2.4.8+, and the DH PARAMETERS can set in Apache httpd 2.4.7+ for 2048 bit DH[1].
However JWS 2.1 is Apache httpd 2.2.26 and JWS 3.0 is Apache httpd 2.4.6[2]. It means that current JWS httpd cannot set 2048 bit DH.

[1] https://weakdh.org/sysadmin.html
~~~
In newer versions of Apache (2.4.8 and newer) and OpenSSL 1.0.2 or later, you can directly specify your DH params file as follows:

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

If you are using Apache with LibreSSL, or Apache 2.4.7 and OpenSSL 0.9.8a or later, you can append the DHparams you generated earlier to the end of your certificate file.
~~~

[2] https://weakdh.org/sysadmin.html

Version-Release number of selected component (if applicable):
JWS 2.1
* If we can accepts this request on JWS 2.1, please also fix JWS 3.0.
Comment 1 Timothy Walsh 2015-08-17 03:06:15 UTC 
This seems like a duplicate 

BZ 1238084

and

RHEA-2015:1584
Comment 8 Jean-frederic Clere 2016-06-22 12:14:46 UTC 
The update of openssl to 1.0.2h allow to use the dh_param in the certficate file.
Comment 9 Jan Onderka 2016-08-05 10:28:47 UTC 
Added Doc-text
Comment 10 PnT Account Manager 2017-12-08 00:03:24 UTC 
Employee 'fgoldefu' has left the company.