The Logjam Attack

Discussion in 'ISPConfig 3 Priority Support' started by chico11mbit, May 20, 2015.

  1. chico11mbit

    chico11mbit Member HowtoForge Supporter

  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. chico11mbit

    chico11mbit Member HowtoForge Supporter

    jep. where can i find the config files to change?
    apache httpd.conf:
    SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

    postfix:
    smtpd_tls_dh1024_param_file = ${config_directory}/dhparams.pem

    can i put the changes directly in etc/dovecot/dovecot.conf ?
    there is no string "ssl_cipher_list" and "ssl_dh_parameters_length = 2048"
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    All config files are in their default locations, there are no ispconfig specific config paths.

    The apache config is in /etc/apache2/ on debian and ubuntu and in /etc/httpd/ on centos.
    The postfix config file is /etc/postfix/main.cf
    The dovecot config file(s) are in /etc/dovecot/
     
  5. chico11mbit

    chico11mbit Member HowtoForge Supporter

    ok. so it is
    /etc/apache2/apache2.conf

    i created dhparams.pem with root in /etc/ssl/private/ so there is no right permission problem with postfix and apache i guess?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you test it? Normally they should be ablt to read the file as all services start as root.
     
  7. chico11mbit

    chico11mbit Member HowtoForge Supporter

    dovecot warning. seems ok for me:
    May 20 20:43:50 server dovecot: ssl-params: Warning: Regenerating /var/lib/dovecot/ssl-parameters.dat for ssl_dh_parameters_length=2048
    May 20 20:43:50 server dovecot: ssl-params: Generating SSL parameters

    postfix throws no errors and works.

    apache2 error:
    * Reloading web server apache2 *
    * The apache2 configtest failed. Not doing anything.
    Output of config test was:
    AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:62
    AH00526: Syntax error on line 227 of /etc/apache2/apache2.conf:
    Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration
    Action 'configtest' failed.
    The Apache error log may have more information.

    Note: no relevant entries in /var/log/apache2/error.log
     
  8. chico11mbit

    chico11mbit Member HowtoForge Supporter

    here the entries in /etc/apache2/apache2.conf i made:

    Code:
    SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM$
    SSLHonorCipherOrder     on
    SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem"
    
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely the apache version is too old, apache 2.4.8 or newer is required for this option.
     
  10. chico11mbit

    chico11mbit Member HowtoForge Supporter

    oh. this was the apache version 2.4.7 i installed from your tutorial in 09-2014. and it is not updated through aptitude? how can i update this?

    edit: i checked the repo-version with apt-get install -s apache2. the 2.4.7. is the latest repository.
    then i will wait for updates.

    thx a lot Till. You are very kind.
     
    Last edited: May 20, 2015
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    When you dont get an update trough apt, then there is no newer version available for the linux distribution that you have installed yet.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    edge likes this.

Share This Page