On Mon, Feb 01, 2016 at 12:56:43PM +0000, Stuart Henderson wrote: > Based on my memory of dtucker's earlier diff which I OK'd and lost :-)
Below is the patch for reference (after some more turd polishing on my part). I also had second thoughts about generating it at build time for reasons of slowness and fingerprinting potential and never got back to it. > This updates the baked-in DH params of the apache 1.3 port for people > who haven't been able to migrate to a supported http server yet. > There's an explanation in the comment in the patch header. [...] > +The whole source file can be run as a perl script (note it uses > +indent(1) and .indent.pro files in your $HOME affect formatting). My diff cd'ed to and setenv'ed HOME to the buld working dir to avoid those dependencies (based on what the FreeBSD port did): (cd ${WRKSRC}/src/modules/ssl && ${SETENV} HOME=${WRKSRC} perl ssl_engine_dh.c) Index: www/apache-httpd-openbsd/Makefile =================================================================== RCS file: /cvs/ports/www/apache-httpd-openbsd/Makefile,v retrieving revision 1.10 diff -u -p -r1.10 Makefile --- www/apache-httpd-openbsd/Makefile 17 Jul 2015 23:58:25 -0000 1.10 +++ www/apache-httpd-openbsd/Makefile 2 Feb 2016 03:01:22 -0000 @@ -3,7 +3,7 @@ COMMENT= OpenBSD improved and secured version of Apache 1.3 DISTNAME= apache-httpd-openbsd-1.3.20140502 -REVISION= 4 +REVISION= 5 CATEGORIES= www HOMEPAGE= https://github.com/fobser/apache-httpd-openbsd @@ -24,6 +24,7 @@ RUN_DEPENDS= www/apache-httpd,-common do-configure: @${SUBST_CMD} ${WRKSRC}/config.layout ${WRKSRC}/Makefile.bsd-wrapper + (cd ${WRKSRC}/src/modules/ssl && ${SETENV} HOME=${WRKSRC} perl ssl_engine_dh.c) post-install: .for i in httpd.conf mime.types magic Index: www/apache-httpd-openbsd/patches/patch-gendh =================================================================== RCS file: www/apache-httpd-openbsd/patches/patch-gendh diff -N www/apache-httpd-openbsd/patches/patch-gendh --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ www/apache-httpd-openbsd/patches/patch-gendh 2 Feb 2016 03:01:22 -0000 @@ -0,0 +1,69 @@ +--- src/modules/ssl/ssl_engine_dh.c.orig Tue Dec 1 17:43:37 2015 ++++ src/modules/ssl/ssl_engine_dh.c Wed Dec 2 10:16:33 2015 +@@ -152,12 +152,10 @@ + { + DH *dh; + +- if (nKeyLen == 512) +- dh = get_dh512(); +- else if (nKeyLen == 1024) ++ if (nKeyLen < 1024) + dh = get_dh1024(); + else +- dh = get_dh1024(); ++ dh = get_dh2048(); + return dh; + } + +@@ -197,7 +195,7 @@ + close(FP); + + # generate the DH parameters +-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n"; ++print "1. Generate 1024 and 2048 bit Diffie-Hellman parameters (p, g)\n"; + my $rand = ''; + foreach $file (qw(/var/log/messages /var/adm/messages + /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) { +@@ -207,15 +205,15 @@ + } + } + $rand = "-rand $rand" if ($rand ne ''); +-system("openssl gendh $rand -out dh512.pem 512"); +-system("openssl gendh $rand -out dh1024.pem 1024"); ++system("openssl gendh -out dh1024.pem 1024"); ++system("openssl gendh -out dh2048.pem 2048"); + + # generate DH param info + my $dhinfo = ''; +-open(FP, "openssl dh -noout -text -in dh512.pem |") || die; ++open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; + $dhinfo .= $_ while (<FP>); + close(FP); +-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; ++open(FP, "openssl dh -noout -text -in dh2048.pem |") || die; + $dhinfo .= $_ while (<FP>); + close(FP); + $dhinfo =~ s|^|** |mg; +@@ -223,10 +221,10 @@ + + # generate C source from DH params + my $dhsource = ''; +-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die; ++open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die; + $dhsource .= $_ while (<FP>); + close(FP); +-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die; ++open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die; + $dhsource .= $_ while (<FP>); + close(FP); + $dhsource =~ s|(DH\s+\*get_dh)|static $1|sg; +@@ -244,8 +242,8 @@ + close(FP); + + # cleanup +-unlink("dh512.pem"); + unlink("dh1024.pem"); ++unlink("dh2048.pem"); + + =pod + */ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.