Bug 1138159 - Backport ECDH support to httpd
Summary: Backport ECDH support to httpd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Software Collections
Classification: Red Hat
Component: httpd
Version: httpd24
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
: 2.0
Assignee: Jan Kaluža
QA Contact: Ondřej Pták
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-09-04 07:38 UTC by Ingo Weiss
Modified: 2019-07-11 08:10 UTC (History)
6 users (show)

Fixed In Version: httpd24-httpd-2.4.10-1.el7 httpd24-httpd-2.4.10-1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 1035818
Environment:
Last Closed: 2015-06-04 09:12:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1056 0 normal SHIPPED_LIVE httpd24 bug fix and enhancement update 2015-06-04 13:11:57 UTC

Comment 11 Ondřej Pták 2015-04-15 14:46:05 UTC
On rhel-7 ECDH support was even in version httpd24-httpd-devel-2.4.6-25.el7 (built against newer openssl)
On rhel-6 ECDH support was successfully added

httpd24-httpd-2.4.6-22.el6
==========================
something like this for every cipher variant tested:

:: [   FAIL   ] :: Connecting to localhost with openssl (Expected 0, got 1)
:: [   FAIL   ] :: File '/var/tmp/tmp.MoZGzsAwMU' should contain 'Cipher is ECDHE-RSA-AES256-SHA384' 
:: [   FAIL   ] :: File '/var/tmp/tmp.MoZGzsAwMU' should contain 'Server Temp Key: ECDH' 
:: [   FAIL   ] :: File '/var/tmp/tmp.MoZGzsAwMU' should contain 'Verify return code: 0' 
:: [   FAIL   ] :: File '/var/tmp/tmp.MoZGzsAwMU' should not contain 'fail' 
:: [   FAIL   ] :: File '/var/tmp/tmp.MoZGzsAwMU' should not contain 'error:' 

httpd24-httpd-2.4.12-3.el6
==========================
test passed for all these cipher variants (log just from one):
ECDHE-RSA-AES128-GCM-SHA256   ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384       ECDHE-RSA-AES256-SHA
ECDHE-RSA-DES-CBC3-SHA        ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-AES128-GCM-SHA256(curve=secp384r1)
ECDHE-ECDSA-AES128-GCM-SHA256(curve=secp521r1)
ECDHE-ECDSA-AES128-GCM-SHA256(curve=prime256v1)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Testing httpd with ECDH, cipher ECDHE-RSA-AES128-GCM-SHA256
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Connecting to localhost with openssl (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/tmp.LyN7vd9DbS' should contain 'Cipher is ECDHE-RSA-AES128-GCM-SHA256' 
:: [   PASS   ] :: File '/var/tmp/tmp.LyN7vd9DbS' should contain 'Server Temp Key: ECDH' 
:: [   PASS   ] :: File '/var/tmp/tmp.LyN7vd9DbS' should contain 'Verify return code: 0' 
:: [   PASS   ] :: File '/var/tmp/tmp.LyN7vd9DbS' should not contain 'fail' 
:: [   PASS   ] :: File '/var/tmp/tmp.LyN7vd9DbS' should not contain 'error:'

Comment 13 errata-xmlrpc 2015-06-04 09:12:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1056.html


Note You need to log in before you can comment on or make changes to this bug.