I did not want to wait until this is fixed for apache 2.22 in Ubuntu 12.04 So I took mod_ssl from apache 2.2.29 which supports ECDH. Additional I removed the 512 and 1024 bit DH parameters from ssl_engine_dh.c and replaced them with 2048 and 3072 bit. Two DH keys are not needed because libssl in 12.04 never asks for more than 1024 bit so always 3072 are returned. But I realised this afterwards....
You can download my modified mod_ssl from http://download.ict-pros.co.tz/mod_ssl-apache2.22.tar.bz2 Short instructions: apt-get source apache2 apt-get build-dep apache2 Replace modules/ssl with the modified version. Run within modules/ssl perl ./ssl_engine_dh.c to generate your own DH parameters. Build the package. After updates mod_ssl.so will be overwritten so you have to copy your compiled version from debian/apache2.2-bin/usr/lib/apache2/modules/ to /usr/lib/apache2/modules/ and restarting apache. Andreas ** Attachment added: "mod_ssl from apache 2.2.29 with 2038 and 3072 bit DH parameters" https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/+attachment/4404368/+files/mod_ssl-apache2.22.tar.bz2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1197884 Title: apache2.2 SSL has no forward-secrecy: need ECDHE keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
