[Bug 1197884] Re: apache2.2 SSL has no forward-secrecy: need ECDHE keys

Launchpad Bug Tracker 1197884 at bugs.launchpad.net
Tue Jun 2 12:30:48 UTC 2015


This bug was fixed in the package apache2 - 2.2.22-1ubuntu1.9

---------------
apache2 (2.2.22-1ubuntu1.9) precise-security; urgency=medium

  * SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers
    (LP: #1197884)
    - debian/patches/ecc_support.patch: add support to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_toolkit_compat.h, modules/ssl/ssl_util.c,
  * SECURITY IMPROVEMENT: add TLSv1.x options to SSLProtocol (LP: #1400473)
    - debian/patches/tls_options.patch: allow specifying later TLSv1.x
      options in modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_init.c, modules/ssl/ssl_engine_kernel.c,
      modules/ssl/ssl_private.h.
  * SECURITY IMPROVEMENT: improve ephemeral key handling, including
    allowing DH parameters to be loaded from SSLCertificateFile and
    disabling EXPORT ciphers.
    - debian/patches/ephemeral_key_handling.patch: numerous improvements to
      modules/ssl/mod_ssl.c, modules/ssl/ssl_engine_config.c,
      modules/ssl/ssl_engine_dh.c, modules/ssl/ssl_engine_init.c,
      modules/ssl/ssl_engine_kernel.c, modules/ssl/ssl_private.h,
      modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h.

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Thu, 28 May 2015
12:26:50 -0400

** Changed in: apache2 (Ubuntu Precise)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1197884

Title:
  apache2.2 SSL has no forward-secrecy: need ECDHE keys

Status in apache2 package in Ubuntu:
  Fix Released
Status in apache2 source package in Precise:
  Fix Released
Status in apache2 package in Debian:
  Fix Released

Bug description:
  In the light of recent revelations about Prism/NSA/GCHQ etc, it is
  more important than ever to keep SSL secure.

  But... as far as I can tell, there exists no combination of SSL cIphers that satisfies all of:
   
   *  Resistant to the BEAST attack
   * Has Perfect Forward Secrecy
   * Is in Apache 2.2

  [I'm testing with: https://www.ssllabs.com/ssltest/analyze.html ]

  The only solution seems to be to deploy Apache 2.4 (or backport the
  ECDHE ciphers into the 2.2 package).

  Can I suggest therefore that the lack of Apache 2.4 packages
  represents a serious security vulnerability to people visiting
  websites hosted on Ubuntu.

  This affects every currently released Ubuntu distro (including
  raring). There is still no pacakge of apache 2.4, nor is there a
  backport of the ECDHE feature.  There are some PPAs of 2.4, but these
  aren't maintained with security updates, nor do they support mod_php.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/+subscriptions



More information about the Ubuntu-sponsors mailing list