...
Using long non-standard DH groups
This needs Apache 2.4.8 and OpenSSL 1.0.2.
To help fix CVE-2015-4000 or at least reduce the risk:
No Format |
---|
openssl dhparam -out dhparams.pem 2048 # either ... $EDITOR /etc/apache2/mods-available/ssl.conf # Long non-trivial DH group against CVE-2015-4000" SSLOpenSSLConfCmd DHParameters dhparams.pem # ... or ... cat dhparams.pem >>www.foobar.com.crt apache2ctl configtest && apache2ctl graceful |
To test this, on from a machine client machin with OpenSSL 1.0.2 higher (from openssl.org blog logjam-freak-upcoming-changes):
...