On 21 May 2015 at 13:53, Stefan G. Weichinger <li...@xunil.at> wrote: > > Heard of logjam today -> https://weakdh.org > > Tried to fix it following: > > https://weakdh.org/sysadmin.html > > for postfix that works > > for apache-2.2.29 (=stable gentoo package) I googled that one has to > > # cat dhparams.pem >> /my/ssl_cert_file > > and restart apache
Hmm, where did you read that? The custom DH parameters are supported in SSLCertificateFile with apache >= 2.4.7. (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile) Unfortunately the suggested SSLOpenSSLConfCmd option from https://weakdh.org/sysadmin.html is available only from apache >= 2.4.8 (see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslopensslconfcmd) > But even then the tests at weakdh.org and > > https://www.ssllabs.com/ssltest/analyze.html > > tell me I have too weak DH groups > > Does anyone have the same issue? And a solution? > > Thanks, regards, Stefan With apache 2.2 you'll have to patch manually for now, for example this patch: http://serverfault.com/a/693448/88476 I don't run any apache 2.2 instances so I can't test. Fortunately it's quite easy to apply custom patches with gentoo: https://wiki.gentoo.org/wiki//etc/portage/patches Have a nice day, Paul