[Bug 1197884] Re: apache2.2 SSL has no forward-secrecy: need ECDHE keys
Mathew Hodson
mathew.hodson at gmail.com
Wed Jun 3 06:56:42 UTC 2015
** Also affects: apache2
Importance: Undecided
Status: New
** Changed in: apache2
Importance: Undecided => Unknown
** Changed in: apache2
Status: New => Unknown
** Changed in: apache2
Remote watch: None => bz.apache.org/bugzilla/ #49559
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need ECDHE keys
Status in Apache2 Web Server:
Unknown
Status in apache2 package in Ubuntu:
Fix Released
Status in apache2 source package in Precise:
Fix Released
Status in apache2 package in Debian:
Fix Released
Bug description:
In the light of recent revelations about Prism/NSA/GCHQ etc, it is
more important than ever to keep SSL secure.
But... as far as I can tell, there exists no combination of SSL cIphers that satisfies all of:
* Resistant to the BEAST attack
* Has Perfect Forward Secrecy
* Is in Apache 2.2
[I'm testing with: https://www.ssllabs.com/ssltest/analyze.html ]
The only solution seems to be to deploy Apache 2.4 (or backport the
ECDHE ciphers into the 2.2 package).
Can I suggest therefore that the lack of Apache 2.4 packages
represents a serious security vulnerability to people visiting
websites hosted on Ubuntu.
This affects every currently released Ubuntu distro (including
raring). There is still no pacakge of apache 2.4, nor is there a
backport of the ECDHE feature. There are some PPAs of 2.4, but these
aren't maintained with security updates, nor do they support mod_php.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apache2/+bug/1197884/+subscriptions
More information about the Ubuntu-sponsors
mailing list