Security Bug Report

Richard Laager rlaager at
Thu Aug 13 07:14:20 EDT 2015

I don't know who has handled this in the past, but I feel I'm reasonably 
well-versed in this stuff from work, so I took a look at the situation 
and made some small changes. I also responded directly to Sumit Jain, 
who reported this.

I switched to the standard (RFC 3526) 2048-bit DH params for, 
which is using lighttpd. If people feel like custom DH params are the 
way to go, I did generate 2048-bit params on and could 
easily switch to those.

I can't upgrade the DH params on, as Apache 2.2 does 
not support it. We should probably look at upgrading nicobar, which 
currently runs Debian Wheezy (which is now oldstable).

I also changed the SSL cipher lists to match the (without RC4) 
suggestion here, which I believe is still the current best practice:

The difference between what we were running and that suggestion were 
pretty minimal in practice. Basically, it means that a number of clients 
will use AES GCM ciphers instead of AES CBC.


More information about the security mailing list