Based on my memory of dtucker's earlier diff which I OK'd and lost :-) This updates the baked-in DH params of the apache 1.3 port for people who haven't been able to migrate to a supported http server yet. There's an explanation in the comment in the patch header.
OK? Note that presence of this port is starting to cause problems with other ports, it is quite likely to be retired after 5.9 release. Index: Makefile =================================================================== RCS file: /cvs/ports/www/apache-httpd-openbsd/Makefile,v retrieving revision 1.12 diff -u -p -r1.12 Makefile --- Makefile 30 Dec 2015 10:22:33 -0000 1.12 +++ Makefile 1 Feb 2016 12:51:59 -0000 @@ -3,7 +3,7 @@ COMMENT= OpenBSD improved and secured version of Apache 1.3 DISTNAME= apache-httpd-openbsd-1.3.20140502 -REVISION= 6 +REVISION= 7 CATEGORIES= www HOMEPAGE= https://github.com/fobser/apache-httpd-openbsd Index: patches/patch-src_modules_ssl_ssl_engine_dh_c =================================================================== RCS file: patches/patch-src_modules_ssl_ssl_engine_dh_c diff -N patches/patch-src_modules_ssl_ssl_engine_dh_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_modules_ssl_ssl_engine_dh_c 1 Feb 2016 12:51:59 -0000 @@ -0,0 +1,154 @@ +$OpenBSD$ + +Replace baked-in DH parameters with new ones. ("Logjam" attack). +The whole source file can be run as a perl script (note it uses +indent(1) and .indent.pro files in your $HOME affect formatting). +This is not done at build time to avoid a means of fingerprinting +the build/arch/etc. + +These are still only 1024 bit to avoid adjusting logic to do with +export ciphers (they're no longer supported by LibreSSL anyway, +but that's a bigger change than desirable for this port which +is on life-support anyway). + +USERS OF THIS PORT ARE STRONGLY ENCOURAGED TO MIGRATE THEIR +CONFIGURATION TO ALTERNATIVE SERVER SOFTWARE. + +--- src/modules/ssl/ssl_engine_dh.c.orig Sat Apr 26 14:51:13 2014 ++++ src/modules/ssl/ssl_engine_dh.c Mon Feb 1 12:42:33 2016 +@@ -67,43 +67,42 @@ + /* ----BEGIN GENERATED SECTION-------- */ + + /* +-** Diffie-Hellman-Parameters: (512 bit) +-** prime: +-** 00:d4:bc:d5:24:06:f6:9b:35:99:4b:88:de:5d:b8: +-** 96:82:c8:15:7f:62:d8:f3:36:33:ee:57:72:f1:1f: +-** 05:ab:22:d6:b5:14:5b:9f:24:1e:5a:cc:31:ff:09: +-** 0a:4b:c7:11:48:97:6f:76:79:50:94:e7:1e:79:03: +-** 52:9f:5a:82:4b +-** generator: 2 (0x2) +-** Diffie-Hellman-Parameters: (1024 bit) +-** prime: +-** 00:e6:96:9d:3d:49:5b:e3:2c:7c:f1:80:c3:bd:d4: +-** 79:8e:91:b7:81:82:51:bb:05:5e:2a:20:64:90:4a: +-** 79:a7:70:fa:15:a2:59:cb:d5:23:a6:a6:ef:09:c4: +-** 30:48:d5:a2:2f:97:1f:3c:20:12:9b:48:00:0e:6e: +-** dd:06:1c:bc:05:3e:37:1d:79:4e:53:27:df:61:1e: +-** bb:be:1b:ac:9b:5c:60:44:cf:02:3d:76:e0:5e:ea: +-** 9b:ad:99:1b:13:a6:3c:97:4e:9e:f1:83:9e:b5:db: +-** 12:51:36:f7:26:2e:56:a8:87:15:38:df:d8:23:c6: +-** 50:50:85:e2:1f:0d:d5:c8:6b +-** generator: 2 (0x2) ++** PKCS#3 DH Parameters: (512 bit) ++** prime: ++** 00:d3:9e:43:c4:21:05:a4:94:3a:28:c0:c0:2b:4c: ++** 45:d9:89:d8:17:e6:73:7a:32:5b:f2:5a:f3:51:b8: ++** ec:ee:34:3a:76:1a:43:63:38:5e:6c:bc:63:2c:41: ++** 81:50:7a:ff:69:a9:f0:ba:ca:5a:61:f7:01:d7:db: ++** cc:9f:5e:33:83 ++** generator: 2 (0x2) ++** PKCS#3 DH Parameters: (1024 bit) ++** prime: ++** 00:8b:23:e7:d5:7b:42:16:0f:b3:e3:36:89:de:ca: ++** eb:0f:6b:44:e6:96:78:81:5c:89:55:55:10:c3:73: ++** d6:5d:3a:30:b3:3f:b5:c6:12:f4:6d:16:f6:55:24: ++** 4e:92:1e:c8:d1:da:18:27:ce:d3:98:cf:7c:3d:f0: ++** 77:ea:d6:8f:e4:24:b4:67:4a:7d:9c:e2:83:bc:e9: ++** 16:a5:3f:01:f1:4f:e4:1a:51:2f:50:66:4b:b4:12: ++** 4a:5e:c9:43:e0:54:85:c3:93:57:b3:43:0f:20:f7: ++** 32:14:d1:79:11:c2:fb:c5:a4:ea:34:3b:f2:eb:f3: ++** c1:8b:37:01:a6:61:04:cb:c3 ++** generator: 2 (0x2) + */ + +-static unsigned char dh512_p[] = +-{ +- 0xD4, 0xBC, 0xD5, 0x24, 0x06, 0xF6, 0x9B, 0x35, 0x99, 0x4B, 0x88, 0xDE, +- 0x5D, 0xB8, 0x96, 0x82, 0xC8, 0x15, 0x7F, 0x62, 0xD8, 0xF3, 0x36, 0x33, +- 0xEE, 0x57, 0x72, 0xF1, 0x1F, 0x05, 0xAB, 0x22, 0xD6, 0xB5, 0x14, 0x5B, +- 0x9F, 0x24, 0x1E, 0x5A, 0xCC, 0x31, 0xFF, 0x09, 0x0A, 0x4B, 0xC7, 0x11, +- 0x48, 0x97, 0x6F, 0x76, 0x79, 0x50, 0x94, 0xE7, 0x1E, 0x79, 0x03, 0x52, +- 0x9F, 0x5A, 0x82, 0x4B, ++static unsigned char dh512_p[] = { ++ 0xD3, 0x9E, 0x43, 0xC4, 0x21, 0x05, 0xA4, 0x94, 0x3A, 0x28, 0xC0, 0xC0, ++ 0x2B, 0x4C, 0x45, 0xD9, 0x89, 0xD8, 0x17, 0xE6, 0x73, 0x7A, 0x32, 0x5B, ++ 0xF2, 0x5A, 0xF3, 0x51, 0xB8, 0xEC, 0xEE, 0x34, 0x3A, 0x76, 0x1A, 0x43, ++ 0x63, 0x38, 0x5E, 0x6C, 0xBC, 0x63, 0x2C, 0x41, 0x81, 0x50, 0x7A, 0xFF, ++ 0x69, 0xA9, 0xF0, 0xBA, 0xCA, 0x5A, 0x61, 0xF7, 0x01, 0xD7, 0xDB, 0xCC, ++ 0x9F, 0x5E, 0x33, 0x83, + }; +-static unsigned char dh512_g[] = +-{ ++ ++static unsigned char dh512_g[] = { + 0x02, + }; + +-static DH *get_dh512(void) ++static DH *get_dh512() + { + DH *dh; + +@@ -115,26 +114,25 @@ static DH *get_dh512(void) + return (NULL); + return (dh); + } +-static unsigned char dh1024_p[] = +-{ +- 0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3, +- 0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E, +- 0x2A, 0x20, 0x64, 0x90, 0x4A, 0x79, 0xA7, 0x70, 0xFA, 0x15, 0xA2, 0x59, +- 0xCB, 0xD5, 0x23, 0xA6, 0xA6, 0xEF, 0x09, 0xC4, 0x30, 0x48, 0xD5, 0xA2, +- 0x2F, 0x97, 0x1F, 0x3C, 0x20, 0x12, 0x9B, 0x48, 0x00, 0x0E, 0x6E, 0xDD, +- 0x06, 0x1C, 0xBC, 0x05, 0x3E, 0x37, 0x1D, 0x79, 0x4E, 0x53, 0x27, 0xDF, +- 0x61, 0x1E, 0xBB, 0xBE, 0x1B, 0xAC, 0x9B, 0x5C, 0x60, 0x44, 0xCF, 0x02, +- 0x3D, 0x76, 0xE0, 0x5E, 0xEA, 0x9B, 0xAD, 0x99, 0x1B, 0x13, 0xA6, 0x3C, +- 0x97, 0x4E, 0x9E, 0xF1, 0x83, 0x9E, 0xB5, 0xDB, 0x12, 0x51, 0x36, 0xF7, +- 0x26, 0x2E, 0x56, 0xA8, 0x87, 0x15, 0x38, 0xDF, 0xD8, 0x23, 0xC6, 0x50, +- 0x50, 0x85, 0xE2, 0x1F, 0x0D, 0xD5, 0xC8, 0x6B, ++static unsigned char dh1024_p[] = { ++ 0x8B, 0x23, 0xE7, 0xD5, 0x7B, 0x42, 0x16, 0x0F, 0xB3, 0xE3, 0x36, 0x89, ++ 0xDE, 0xCA, 0xEB, 0x0F, 0x6B, 0x44, 0xE6, 0x96, 0x78, 0x81, 0x5C, 0x89, ++ 0x55, 0x55, 0x10, 0xC3, 0x73, 0xD6, 0x5D, 0x3A, 0x30, 0xB3, 0x3F, 0xB5, ++ 0xC6, 0x12, 0xF4, 0x6D, 0x16, 0xF6, 0x55, 0x24, 0x4E, 0x92, 0x1E, 0xC8, ++ 0xD1, 0xDA, 0x18, 0x27, 0xCE, 0xD3, 0x98, 0xCF, 0x7C, 0x3D, 0xF0, 0x77, ++ 0xEA, 0xD6, 0x8F, 0xE4, 0x24, 0xB4, 0x67, 0x4A, 0x7D, 0x9C, 0xE2, 0x83, ++ 0xBC, 0xE9, 0x16, 0xA5, 0x3F, 0x01, 0xF1, 0x4F, 0xE4, 0x1A, 0x51, 0x2F, ++ 0x50, 0x66, 0x4B, 0xB4, 0x12, 0x4A, 0x5E, 0xC9, 0x43, 0xE0, 0x54, 0x85, ++ 0xC3, 0x93, 0x57, 0xB3, 0x43, 0x0F, 0x20, 0xF7, 0x32, 0x14, 0xD1, 0x79, ++ 0x11, 0xC2, 0xFB, 0xC5, 0xA4, 0xEA, 0x34, 0x3B, 0xF2, 0xEB, 0xF3, 0xC1, ++ 0x8B, 0x37, 0x01, 0xA6, 0x61, 0x04, 0xCB, 0xC3, + }; +-static unsigned char dh1024_g[] = +-{ ++ ++static unsigned char dh1024_g[] = { + 0x02, + }; + +-static DH *get_dh1024(void) ++static DH *get_dh1024() + { + DH *dh; + +@@ -198,17 +196,8 @@ close(FP); + + # generate the DH parameters + print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n"; +-my $rand = ''; +-foreach $file (qw(/var/log/messages /var/adm/messages +- /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) { +- if (-f $file) { +- $rand = $file if ($rand eq ''); +- $rand .= ":$file" if ($rand ne ''); +- } +-} +-$rand = "-rand $rand" if ($rand ne ''); +-system("openssl gendh $rand -out dh512.pem 512"); +-system("openssl gendh $rand -out dh1024.pem 1024"); ++system("openssl gendh -out dh512.pem 512"); ++system("openssl gendh -out dh1024.pem 1024"); + + # generate DH param info + my $dhinfo = '';
