View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008548 | Rocky-Linux-9 | httpd | public | 2024-12-13 01:00 | 2024-12-13 01:03 |
| Reporter | Veit Wahlich | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Platform | x86_64 | OS | Rocky Linux | OS Version | 9.5 |
| Summary | 0008548: mod_ssl: Defining custom EC parameters also resets DH parameters, breaking DHE ciphers and parsing of cipher suites | ||||
| Description | mod_ssl allows adding of custom EC parameters and/or DH parameters to the first PEM file referenced by SSLCertificateFile in a context, as described here: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile Since httpd-2.4.62-1.el9.x86_64, adding custom EC parameters seems to wipe-out the built-in DH parameters, rendering any ciphers employing DHE kex unavailable in this context. If an explicit list of SSL ciphers is defined using SSLCipherSuite, this does not only eliminate any ciphers using DHE kex, but breaks parsing of the cipher list after the first DHE cipher, eliminating any following ciphers, indipendent of used kex. | ||||
| Steps To Reproduce | 1. install httpd, mod_ssl and sslscan: dnf install httpd-2.4.62-1.el9.x86_64 mod_ssl-2.4.62-1.el9.x86_64 sslscan 2. start httpd and let it generate its self-signed default cert: systemctl start httpd.service 3. verify ciphers with DHE kex are available: sslscan localhost:443 4. add EC parameters for a curve of your choice to the default certificate: openssl ecparam -name secp384r1 >>/etc/pki/tls/certs/localhost.crt 5. reload httpd: systemctl reload httpd.service 6. verify that all ciphers with DHE kex are missing now: sslscan localhost:443 | ||||
| Tags | mod-ssl | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-12-13 01:00 | Veit Wahlich | New Issue | |
| 2024-12-13 01:02 | Veit Wahlich | Tag Attached: mod-ssl |
