Bug 1251796 - Need 2048-bit DH support for JWS HTTPD
Need 2048-bit DH support for JWS HTTPD
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: httpd (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: DR01
: 2.1.1
Assigned To: Jean-frederic Clere
Michal Karm Babacek
Betty Prioux
Depends On:
Blocks: 1338651
  Show dependency treegraph
Reported: 2015-08-09 21:06 EDT by Eiichi Nagai
Modified: 2017-12-07 19:03 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Httpd should be able to use bigger keys for secure connection. Consequence: OpenSSL is updated to version 1.0.2h allowing to append newly generated DH_PARAM key to default certification file localhost.crt. Fix: After installing httpd and running .postinstall script use few more commands to extend default certification file if need. Run openssl provided by zip/rpm package with "<path_to_provided_openssl_folder>/openssl dhparam -out dh_2048.pem 2048" for generating DH_PARAM with 2048-bit key.Content of dh_2048.pem append to localhost.crt created by .postinstall script (httpd/conf.d/ssl.conf should show you proper destination of file). Now start httpd server. Result: Server starts with extended Server Temp Key: DH, 2048 bits. You can verified it by running "<path_to_provided_openssl_folder>/openssl s_client -connect localhost:443 -cipher DHE-RSA-AES256-GCM-SHA384".
Story Points: ---
Clone Of:
: 1338651 (view as bug list)
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eiichi Nagai 2015-08-09 21:06:11 EDT
Description of problem:
The customer needs to set 2048 bit DH on JWS httpd.
It seems that there is the "SSLOpenSSLConfCmd DHParameters" configuration in Apache httpd 2.4.8+, and the DH PARAMETERS can set in Apache httpd 2.4.7+ for 2048 bit DH[1].
However JWS 2.1 is Apache httpd 2.2.26 and JWS 3.0 is Apache httpd 2.4.6[2]. It means that current JWS httpd cannot set 2048 bit DH.

[1] https://weakdh.org/sysadmin.html
In newer versions of Apache (2.4.8 and newer) and OpenSSL 1.0.2 or later, you can directly specify your DH params file as follows:

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

If you are using Apache with LibreSSL, or Apache 2.4.7 and OpenSSL 0.9.8a or later, you can append the DHparams you generated earlier to the end of your certificate file.

[2] https://weakdh.org/sysadmin.html

Version-Release number of selected component (if applicable):
JWS 2.1
* If we can accepts this request on JWS 2.1, please also fix JWS 3.0.
Comment 1 Timothy Walsh 2015-08-16 23:06:15 EDT
This seems like a duplicate 

BZ 1238084


Comment 8 Jean-frederic Clere 2016-06-22 08:14:46 EDT
The update of openssl to 1.0.2h allow to use the dh_param in the certficate file.
Comment 9 Jan Onderka 2016-08-05 06:28:47 EDT
Added Doc-text
Comment 10 Bugzilla account termination 2017-12-07 19:03:24 EST
Employee 'fgoldefu@redhat.com' has left the company.

Note You need to log in before you can comment on or make changes to this bug.