Bug 1251796
Summary: | Need 2048-bit DH support for JWS HTTPD | |||
---|---|---|---|---|
Product: | [JBoss] JBoss Enterprise Web Server 2 | Reporter: | Eiichi Nagai <enagai> | |
Component: | httpd | Assignee: | Jean-frederic Clere <jclere> | |
Status: | CLOSED EOL | QA Contact: | Michal Karm Babacek <mbabacek> | |
Severity: | unspecified | Docs Contact: | Betty Prioux <bprioux> | |
Priority: | unspecified | |||
Version: | 2.1.0 | CC: | jdoyle, jonderka, jpallich, ksuzumur, mbabacek, pslavice, rsvoboda, twalsh | |
Target Milestone: | DR01 | |||
Target Release: | 2.1.1 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Cause:
Httpd should be able to use bigger keys for secure connection.
Consequence:
OpenSSL is updated to version 1.0.2h allowing to append newly generated DH_PARAM key to default certification file localhost.crt.
Fix:
After installing httpd and running .postinstall script use few more commands to extend default certification file if need.
Run openssl provided by zip/rpm package with "<path_to_provided_openssl_folder>/openssl dhparam -out dh_2048.pem 2048" for generating DH_PARAM with 2048-bit key.Content of dh_2048.pem append to localhost.crt created by .postinstall script (httpd/conf.d/ssl.conf should show you proper destination of file). Now start httpd server.
Result:
Server starts with extended Server Temp Key: DH, 2048 bits. You can verified it by running "<path_to_provided_openssl_folder>/openssl s_client -connect localhost:443 -cipher DHE-RSA-AES256-GCM-SHA384".
|
Story Points: | --- | |
Clone Of: | ||||
: | 1338651 (view as bug list) | Environment: | ||
Last Closed: | 2019-06-13 12:09:34 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1338651 |
Description
Eiichi Nagai
2015-08-10 01:06:11 UTC
This seems like a duplicate BZ 1238084 and RHEA-2015:1584 The update of openssl to 1.0.2h allow to use the dh_param in the certficate file. Added Doc-text Employee 'fgoldefu' has left the company. |