# openssl-1.0.2 is needed for Apache to follow logjam Hints

## toralf

Otherwise you get a 

```
/etc/init.d/apache2 restart

 * apache2 has detected an error in your setup:

AH00526: Syntax error on line 40 of /etc/apache2/vhosts.d/00_default_ssl_vhost.conf:

Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

 * ERROR: apache2 failed to stop

```

when trying to add 

```
SSLOpenSSLConfCmd DHParameters /etc/ssl/private/dhparams.pem

```

to apache2's config file (as advised in https://weakdh.org/sysadmin.html)

----------

## Duncan Mac Leod

No, it is NOT!

Look at my earlier posting: https://forums.gentoo.org/viewtopic-t-1017546.html

I eliminated all DHE ciphers, only ECDHE ciphers are enabled, so you can go with openssl-1.0.1m and with Apache 2.2.x.

Using SSLOpenSSLConfCmd won't run on Apache < 2.4.8 and yes, you are right, it'll need openssl-1.0.2.

So, why use DHE at all? With ECDHE you are save against Logjam and my solution (plz look at my other posting) offers good compatibility with most clients.

----------

## toralf

I'm do wonder if it the right time to completely ignore DHE and just juse ECDHE.

DHE is still a good choice / fall back as long as elliptic curves aren't proved (over a long time) to be a safe replace.

----------

