In light of the recent publicity of the "logjam attack" (e.g. https://weakdh.org/) Diffie-Hellman key exchange has come under some scrutiny. Industry wisdom seems to suggest that to prevent possible nation-state decryption an httpd server should generate a 2048-bit group of parameters (for Diffie-Hellman key exchange). This is a trivial task to complete using OpenSSL using a command such as the following: openssl dhparam -out dhparams.pem 2048 Apache httpd 2.4.8+ (including 2.4.12 -- current) appear to have support for this using the a configuration entry similar to this one: SSLOpenSSLConfCmd DHParameters "/PATH/dhparams.pem" It has also been reported that Apache httpd 2.4.7+ can support this by appending the DH PARAMETERS to the end of the ssl certificate file, e.g.: -----BEGIN CERTIFICATE----- CERTIFICATE_DATA_HERE -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- GENERATED_DH_PARAMETERS_HERE -----END DH PARAMETERS----- This has been noted in the httpd SSL FAQ documentation (https://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh) I am unable to find any documentation on this feature set for anything in the httpd 2.2.x branch including the 2.2.29 (current) release. I have attempted to use both of these methods in httpd 2.2.29, but have been unable to do so successfully. Are 2048-bit Diffie-Hellman groups supported in the Apache httpd 2.2.x branch? Is it possible that this feature will be ported to the 2.2.x branch? Has anyone already done so? Thanks, Karl --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|