Re: apache-httpd-openbsd: new DH params
On 2016/02/02 14:10, Darren Tucker wrote: > On Mon, Feb 01, 2016 at 12:56:43PM +, Stuart Henderson wrote: > > Based on my memory of dtucker's earlier diff which I OK'd and lost :-) > > Below is the patch for reference (after some more turd polishing on my > part). I also had second thoughts about generating it at build time for > reasons of slowness and fingerprinting potential and never got back to it. I have that one, but didn't forward that for those reasons (and I didn't want to dig into all the implications of changing sizes) it's the earlier one which updated the 512/1024 hardcoded values that I didn't keep a copy of and was recreating here. > > This updates the baked-in DH params of the apache 1.3 port for people > > who haven't been able to migrate to a supported http server yet. > > There's an explanation in the comment in the patch header. > [...] > > +The whole source file can be run as a perl script (note it uses > > +indent(1) and .indent.pro files in your $HOME affect formatting). > > My diff cd'ed to and setenv'ed HOME to the buld working dir to avoid > those dependencies (based on what the FreeBSD port did): > > (cd ${WRKSRC}/src/modules/ssl && ${SETENV} HOME=${WRKSRC} perl > ssl_engine_dh.c) Yes, that's definitely needed if it's generated during the build.
Re: apache-httpd-openbsd: new DH params
On Mon, Feb 01, 2016 at 12:56:43PM +, Stuart Henderson wrote: > Based on my memory of dtucker's earlier diff which I OK'd and lost :-) Below is the patch for reference (after some more turd polishing on my part). I also had second thoughts about generating it at build time for reasons of slowness and fingerprinting potential and never got back to it. > This updates the baked-in DH params of the apache 1.3 port for people > who haven't been able to migrate to a supported http server yet. > There's an explanation in the comment in the patch header. [...] > +The whole source file can be run as a perl script (note it uses > +indent(1) and .indent.pro files in your $HOME affect formatting). My diff cd'ed to and setenv'ed HOME to the buld working dir to avoid those dependencies (based on what the FreeBSD port did): (cd ${WRKSRC}/src/modules/ssl && ${SETENV} HOME=${WRKSRC} perl ssl_engine_dh.c) Index: www/apache-httpd-openbsd/Makefile === RCS file: /cvs/ports/www/apache-httpd-openbsd/Makefile,v retrieving revision 1.10 diff -u -p -r1.10 Makefile --- www/apache-httpd-openbsd/Makefile 17 Jul 2015 23:58:25 - 1.10 +++ www/apache-httpd-openbsd/Makefile 2 Feb 2016 03:01:22 - @@ -3,7 +3,7 @@ COMMENT= OpenBSD improved and secured version of Apache 1.3 DISTNAME= apache-httpd-openbsd-1.3.20140502 -REVISION= 4 +REVISION= 5 CATEGORIES=www HOMEPAGE= https://github.com/fobser/apache-httpd-openbsd @@ -24,6 +24,7 @@ RUN_DEPENDS= www/apache-httpd,-common do-configure: @${SUBST_CMD} ${WRKSRC}/config.layout ${WRKSRC}/Makefile.bsd-wrapper + (cd ${WRKSRC}/src/modules/ssl && ${SETENV} HOME=${WRKSRC} perl ssl_engine_dh.c) post-install: .for i in httpd.conf mime.types magic Index: www/apache-httpd-openbsd/patches/patch-gendh === RCS file: www/apache-httpd-openbsd/patches/patch-gendh diff -N www/apache-httpd-openbsd/patches/patch-gendh --- /dev/null 1 Jan 1970 00:00:00 - +++ www/apache-httpd-openbsd/patches/patch-gendh2 Feb 2016 03:01:22 - @@ -0,0 +1,69 @@ +--- src/modules/ssl/ssl_engine_dh.c.orig Tue Dec 1 17:43:37 2015 src/modules/ssl/ssl_engine_dh.cWed Dec 2 10:16:33 2015 +@@ -152,12 +152,10 @@ + { + DH *dh; + +-if (nKeyLen == 512) +-dh = get_dh512(); +-else if (nKeyLen == 1024) ++if (nKeyLen < 1024) + dh = get_dh1024(); + else +-dh = get_dh1024(); ++dh = get_dh2048(); + return dh; + } + +@@ -197,7 +195,7 @@ + close(FP); + + # generate the DH parameters +-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n"; ++print "1. Generate 1024 and 2048 bit Diffie-Hellman parameters (p, g)\n"; + my $rand = ''; + foreach $file (qw(/var/log/messages /var/adm/messages + /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) { +@@ -207,15 +205,15 @@ + } + } + $rand = "-rand $rand" if ($rand ne ''); +-system("openssl gendh $rand -out dh512.pem 512"); +-system("openssl gendh $rand -out dh1024.pem 1024"); ++system("openssl gendh -out dh1024.pem 1024"); ++system("openssl gendh -out dh2048.pem 2048"); + + # generate DH param info + my $dhinfo = ''; +-open(FP, "openssl dh -noout -text -in dh512.pem |") || die; ++open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; + $dhinfo .= $_ while (); + close(FP); +-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; ++open(FP, "openssl dh -noout -text -in dh2048.pem |") || die; + $dhinfo .= $_ while (); + close(FP); + $dhinfo =~ s|^|** |mg; +@@ -223,10 +221,10 @@ + + # generate C source from DH params + my $dhsource = ''; +-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die; ++open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die; + $dhsource .= $_ while (); + close(FP); +-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die; ++open(FP, "openssl dh -noout -C -in dh2048.pem | indent | expand |") || die; + $dhsource .= $_ while (); + close(FP); + $dhsource =~ s|(DH\s+\*get_dh)|static $1|sg; +@@ -244,8 +242,8 @@ + close(FP); + + # cleanup +-unlink("dh512.pem"); + unlink("dh1024.pem"); ++unlink("dh2048.pem"); + + =pod + */ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: apache-httpd-openbsd: new DH params
Thanks, looking at the diff I might just spend the effort moving to a newer apache or other webserver. I'd like to be able o use different dh parameters per site. There is also other stuff like sni etc. -Otto On Mon, Feb 01, 2016 at 12:56:43PM +, Stuart Henderson wrote: > Based on my memory of dtucker's earlier diff which I OK'd and lost :-) > This updates the baked-in DH params of the apache 1.3 port for people > who haven't been able to migrate to a supported http server yet. > There's an explanation in the comment in the patch header. > > OK? > > Note that presence of this port is starting to cause problems > with other ports, it is quite likely to be retired after 5.9 release. > > Index: Makefile > === > RCS file: /cvs/ports/www/apache-httpd-openbsd/Makefile,v > retrieving revision 1.12 > diff -u -p -r1.12 Makefile > --- Makefile 30 Dec 2015 10:22:33 - 1.12 > +++ Makefile 1 Feb 2016 12:51:59 - > @@ -3,7 +3,7 @@ > COMMENT= OpenBSD improved and secured version of Apache 1.3 > > DISTNAME=apache-httpd-openbsd-1.3.20140502 > -REVISION=6 > +REVISION=7 > CATEGORIES= www > > HOMEPAGE=https://github.com/fobser/apache-httpd-openbsd > Index: patches/patch-src_modules_ssl_ssl_engine_dh_c > === > RCS file: patches/patch-src_modules_ssl_ssl_engine_dh_c > diff -N patches/patch-src_modules_ssl_ssl_engine_dh_c > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-src_modules_ssl_ssl_engine_dh_c 1 Feb 2016 12:51:59 > - > @@ -0,0 +1,154 @@ > +$OpenBSD$ > + > +Replace baked-in DH parameters with new ones. ("Logjam" attack). > +The whole source file can be run as a perl script (note it uses > +indent(1) and .indent.pro files in your $HOME affect formatting). > +This is not done at build time to avoid a means of fingerprinting > +the build/arch/etc. > + > +These are still only 1024 bit to avoid adjusting logic to do with > +export ciphers (they're no longer supported by LibreSSL anyway, > +but that's a bigger change than desirable for this port which > +is on life-support anyway). > + > +USERS OF THIS PORT ARE STRONGLY ENCOURAGED TO MIGRATE THEIR > +CONFIGURATION TO ALTERNATIVE SERVER SOFTWARE. > + > +--- src/modules/ssl/ssl_engine_dh.c.orig Sat Apr 26 14:51:13 2014 > src/modules/ssl/ssl_engine_dh.c Mon Feb 1 12:42:33 2016 > +@@ -67,43 +67,42 @@ > + /* BEGIN GENERATED SECTION */ > + > + /* > +-** Diffie-Hellman-Parameters: (512 bit) > +-** prime: > +-** 00:d4:bc:d5:24:06:f6:9b:35:99:4b:88:de:5d:b8: > +-** 96:82:c8:15:7f:62:d8:f3:36:33:ee:57:72:f1:1f: > +-** 05:ab:22:d6:b5:14:5b:9f:24:1e:5a:cc:31:ff:09: > +-** 0a:4b:c7:11:48:97:6f:76:79:50:94:e7:1e:79:03: > +-** 52:9f:5a:82:4b > +-** generator: 2 (0x2) > +-** Diffie-Hellman-Parameters: (1024 bit) > +-** prime: > +-** 00:e6:96:9d:3d:49:5b:e3:2c:7c:f1:80:c3:bd:d4: > +-** 79:8e:91:b7:81:82:51:bb:05:5e:2a:20:64:90:4a: > +-** 79:a7:70:fa:15:a2:59:cb:d5:23:a6:a6:ef:09:c4: > +-** 30:48:d5:a2:2f:97:1f:3c:20:12:9b:48:00:0e:6e: > +-** dd:06:1c:bc:05:3e:37:1d:79:4e:53:27:df:61:1e: > +-** bb:be:1b:ac:9b:5c:60:44:cf:02:3d:76:e0:5e:ea: > +-** 9b:ad:99:1b:13:a6:3c:97:4e:9e:f1:83:9e:b5:db: > +-** 12:51:36:f7:26:2e:56:a8:87:15:38:df:d8:23:c6: > +-** 50:50:85:e2:1f:0d:d5:c8:6b > +-** generator: 2 (0x2) > ++** PKCS#3 DH Parameters: (512 bit) > ++** prime: > ++** 00:d3:9e:43:c4:21:05:a4:94:3a:28:c0:c0:2b:4c: > ++** 45:d9:89:d8:17:e6:73:7a:32:5b:f2:5a:f3:51:b8: > ++** ec:ee:34:3a:76:1a:43:63:38:5e:6c:bc:63:2c:41: > ++** 81:50:7a:ff:69:a9:f0:ba:ca:5a:61:f7:01:d7:db: > ++** cc:9f:5e:33:83 > ++** generator: 2 (0x2) > ++** PKCS#3 DH Parameters: (1024 bit) > ++** prime: > ++** 00:8b:23:e7:d5:7b:42:16:0f:b3:e3:36:89:de:ca: > ++** eb:0f:6b:44:e6:96:78:81:5c:89:55:55:10:c3:73: > ++** d6:5d:3a:30:b3:3f:b5:c6:12:f4:6d:16:f6:55:24: > ++** 4e:92:1e:c8:d1:da:18:27:ce:d3:98:cf:7c:3d:f0: > ++** 77:ea:d6:8f:e4:24:b4:67:4a:7d:9c:e2:83:bc:e9: > ++** 16:a5:3f:01:f1:4f:e4:1a:51:2f:50:66:4b:b4:12: > ++** 4a:5e:c9:43:e0:54:85:c3:93:57:b3:43:0f:20:f7: > ++** 32:14:d1:79:11:c2:fb:c5:a4:ea:34:3b:f2:eb:f3: > ++** c1:8b:37:01:a6:61:04:cb:c3 > ++** generator: 2 (0x2) > + */ > + > +-static unsigned char dh512_p[] = > +-{ > +-0xD4, 0xBC, 0xD5, 0x24, 0x06, 0xF6, 0x9B, 0x35, 0x99, 0x4B, 0x88, 0xDE, > +-0x5D, 0xB8, 0x96, 0x82, 0xC8, 0x15, 0x7F, 0x62, 0xD8, 0xF3, 0x36, 0x33, > +-0xEE, 0x57, 0x72, 0xF1, 0x1F, 0x05, 0xAB, 0x22, 0xD6, 0xB5, 0x14, 0x5B, > +-0x9F, 0x24, 0x1E, 0x5A, 0xCC, 0x31, 0xFF, 0x09, 0x0A, 0x4B, 0xC7, 0x11, > +-0x48, 0x97, 0x6F,