Page MenuHomePhabricator

Fix apache-2.4 + DHE ciphersuites issue
Closed, ResolvedPublic


For apache (only 2.4, not 2.2), we'd like to be able to enable DHE-based ciphersuites for broader compatibility, like we do for nginx. Aside from tiny corner cases, this primarily affects Android 2.x and OpenSSL 0.9.8 clients (the latter being what a bunch of CLI tools on older linux installations might still be using). For services using 'compat' ciphersuites (virtually all of them), it would upgrade these clients to PFS. For those using 'mid' (just lists.wm.o so far, AFAIK), without DHE those clients can't actually connect at all.

Currently we universally disable the DHE suites for apache, though, for complex reasons:

  • We don't want to turn them on without using a custom DH group instead of the static one (logjam, et al)
  • Apache doesn't support custom DH groups until 2.4.7+ (so, jessie+ for us, which has 2.4.10)
  • 2.4.7 introduced one ugly way to configure it: append the DH group to the server's certificate file
  • 2.4.8 introduced a better way with an explicit config parameter (similar to nginx style), but the feature doesn't work unless apache is rebuilt against openssl-1.0.2, and jessie's stock apache isn't.

So there's two basic ways to go about fixing this:

  1. Similar to how we generate 'chained' certs in the sslcert module, also generate a copy of the cert with dhparams appended, e.g. /etc/ssl/localcerts/foo.plusdh.crt. Then go around to all the SSLCertificateFile directives in jessie-based public-facing apaches and switch them to that file reference, and set some new parameter in their ssl_ciphersuite() calls to allow DHE. Complex, and there's no good way to enforce that the former is in place when the latter is enabled.
  2. Re-build apache-2.4 for jessie-wikimedia using our existing openssl-1.0.2 package. Get the package upgraded on existing hosts. Then have ssl_ciphersuite assume DHE is ok on jessie+, and put the new directive into the file itself (as we do for nginx). Relatively painless on the puppet front, but means we have the pain of maintaining our own apache package for jessie forever (with no real diffs, just a dependency update for openssl-1.0.2).

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

I'm in favour of rebuilding apache2. The overhead isn't that big (jessie has been released a year ago and saw one update in a DSA and two in point releases) and it's a transient effort which will cease with the upgrade to stretch.

@MoritzMuehlenhoff - if you think it's not much overhead and want to take on packaging jessie's apache-2.4 built against our openssl-1.0.2, that would be awesome :)

apache 2.4.10-10+deb8u4+wmf1 has been built against openssl 1.0.2 and uploaded to carbon. I'll update this bug once all existing jessie systems are upgraded.

Apache on all jessie systems has been upgraded and restarted.

Change 284518 had a related patch set uploaded (by BBlack):
ssl_ciphersuite refactoring, jessie apache DHE support

Change 284518 merged by BBlack:
ssl_ciphersuite refactoring, jessie apache DHE support