Trying to mitigate Logjam on Apache 2.2.16

Solution 1:

From the Apache documentation, the SSLOpenSSLConfCmd option was added in version 2.4.8:

Compatibility: Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later

You will need to update to a later version of Apache if you need to use this option.

Solution 2:

also apache 2.2.22 (debian 7) I also removed the problematic ciphers one by one, according to the qualys ssl labs test https://www.ssllabs.com/ssltest/index.html it passes now, only WinXP / IE6 is incompatible

Cipher i ended up using:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

this is based on the recommendation from https://weakdh.org/sysadmin.html but removing the dh-ciphers that the test marked as problematic

Solution 3:

The "SSLOpenSSLConfCmd" config parameter isn't working for Apache 2.2 and it doesn't provide any similar config parameter for this. Though there is a workaround for Apache 2.2 until there is an official patch: https://bitbucket.org/snippets/wneessen/grb8