Launchpad has imported 21 comments from the remote bug at
https://bz.apache.org/bugzilla/show_bug.cgi?id=49559.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
** Also affects: apache2
Importance: Undecided
Status: New
** Changed in: apache2
Importance: Undecided = Unknown
** Changed in: apache2
Status: New = Unknown
** Changed in: apache2
Remote watch: None = bz.apache.org/bugzilla/ #49559
--
You received this bug notification
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-3389
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need
This bug was fixed in the package apache2 - 2.2.22-1ubuntu1.9
---
apache2 (2.2.22-1ubuntu1.9) precise-security; urgency=medium
* SECURITY IMPROVEMENT: add support for ECC keys and ECDH ciphers
(LP: #1197884)
- debian/patches/ecc_support.patch: add support to
https://bz.apache.org/bugzilla/show_bug.cgi?id=49559#c20
** Bug watch added: bz.apache.org/bugzilla/ #49559
https://bz.apache.org/bugzilla/show_bug.cgi?id=49559
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
There is a test package for precise available here:
https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages
Once it has gone through testing, it will be published as an update.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is
I did not want to wait until this is fixed for apache 2.22 in Ubuntu
12.04
So I took mod_ssl from apache 2.2.29 which supports ECDH.
Additional I removed the 512 and 1024 bit DH parameters from ssl_engine_dh.c
and replaced them with 2048 and 3072 bit.
Two DH keys are not needed because libssl in
I'll work on releasing this for precise next week.
** Changed in: apache2 (Ubuntu Precise)
Assignee: (unassigned) = Marc Deslauriers (mdeslaur)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
This is a patch I created, by backporting 2.4 commits for DH keys to
2.2, to solve the DH keys too small issues on certs.
Adding here in case it helps anyone.
** Patch added: DH key sizing backport from 2.4
With the recently released logjam attack, can we please revisit and
increase the priority for, backporting ECDHE support to apache2.2?
https://weakdh.org/
http://openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
--
You received this bug notification because you are a member of
hi,
i included the patch from debian to ubuntu. Added an debdiff.
about the openssl/mac os x problem:
if i follow the ciphers from
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-
apache-nginx-and-openssl-for-forward-secrecy
ciphers with ECDHE-ECDSA-* are not enabled, so
for a quick dirty solution you can replace
/usr/lib/apache2/modules/mod_ssl.so (x86_64)
** Attachment added: mod_ssl.so
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/+attachment/4295297/+files/mod_ssl.so
--
You received this bug notification because you are a member of
FYI, ECDHE-ECDSA-* cipher suites are only enabled when using ECDSA SSL
certificates (with RSA being the most common).
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
i created a ppa:
https://launchpad.net/~jonathan00/+archive/ubuntu/apache2/
@Haw: Thanks for the info
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL
** Changed in: apache2 (Ubuntu Precise)
Importance: Undecided = Wishlist
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need
** Changed in: apache2 (Ubuntu Precise)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need
** Also affects: apache2 (Ubuntu Precise)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no
** Tags added: precise
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need ECDHE keys
To manage notifications about this bug
** Bug watch added: Debian Bug tracker #733564
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733564
** Also affects: apache2 (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733564
Importance: Unknown
Status: Unknown
--
You received this bug notification because
This bug is for Apache 2.2 not for Apache 2.4 so don't mark as fix
released when thats not the case...
This has been fixed already in Debian 7.6 and there is a debdiff for it
so there should not be a considerable amount of work to apply it right
now.
Ubuntu 12.04 will be supported until 2017
** Changed in: apache2 (Debian)
Status: Unknown = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need ECDHE
Thank you for linking the Debian bug.
This bug is for Apache 2.2 not for Apache 2.4 so don't mark as fix
released when thats not the case...
The status is defined to reflect the status in the development release,
where it is fixed. I'll add a Precise task for you though, to track
status for
Since this is fixed in Saucy, I'm marking this bug as Fix Released. If
you want PFS in an official Ubuntu release, use Ubuntu 13.10.
I understand that some of you want this feature backported to 12.04.
That's fine, but this is a considerable amount of work and I don't think
it falls under the
I thought this request felt under the below wording in
https://wiki.ubuntu.com/StableReleaseUpdates :
quote
Stable release updates will, in general, only be issued in order to fix
high-impact bugs. Examples of such bugs include:
Bugs which may, under realistic circumstances, directly cause a
Yeah I have to add my +1 to this too, as I feel waiting for Ubuntu 14.04
LTS is too long!
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no
An Apache 2.2 back-port would be great. what are the plans for this?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need ECDHE
+1 on the backport. I'm a co-founder of a non-profit. Our websites have
to default to SSL to protect the privacy of our clients. Since this is
a production webserver, we can only use Ubuntu 12.04 LTS as that's what
our IaaS vendor offers us for Ubuntu/Debian distros. The lack of
forward-secrecy
+1 for Chris question. Any plans for an Apache 2.2 back-port?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need ECDHE keys
Don't you think it would be better to backport this for Apache 2.2?
What about all the Ubuntu 12.04 LTS versions which will be running for some
more years?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-3389
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1197884
Title:
apache2.2 SSL has no forward-secrecy: need
Just to answer this, the upgrade has hit Saucy, and I have tested it
successfully. I'll mark it as fix-committed. Thanks for your time.
** Changed in: apache2 (Ubuntu)
Status: Confirmed = Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Server Team,
** Information type changed from Private Security to Public Security
** Changed in: apache2 (Ubuntu)
Status: New = Confirmed
** Changed in: apache2 (Ubuntu)
Importance: Undecided = Wishlist
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is
Thanks for your assistance.
Can I ask why you think this is merely a wishlist item?
If I've understood the import of this correctly, then the privacy of
every visitor to every website served by Apache on every version(*) of
Ubuntu is at risk. I don't think that forward-secrecy in SSL is an
33 matches
Mail list logo
