On 05/20/2015 10:53 AM, Michael Stone wrote: > On Wed, May 20, 2015 at 12:47:35PM -0400, Dan Ritter wrote: >> Is there any chance of getting Logjam ( https://weakdh.org/ ) >> mitigation for Wheezy packages? > > You can mitigate it right now by reconfiguring your server to remove DH > ciphers from SSLCipherSuite.
This particular configuration works very well with Apache 2.2:
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP
!PSK !SRP !DSS
signature.asc
Description: OpenPGP digital signature
