Re: SSLOpenSSLConfCmd DHParameters and 2048-bit groups in Apache httpd 2.2.29 (current)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, May 22, 2015 at 11:08 PM, karl karloff <karlkarloff@xxxxxxxxxxx> wrote:
>
> Apache httpd 2.4.8+ (including 2.4.12 -- current) appear to have support for this using the a configuration entry similar to this one:
>
>         SSLOpenSSLConfCmd DHParameters "/PATH/dhparams.pem"
>
> It has also been reported that Apache httpd 2.4.7+ can support this by appending the DH PARAMETERS to the end of the ssl certificate file, e.g.:
>
>         -----BEGIN CERTIFICATE-----
>         CERTIFICATE_DATA_HERE
>         -----END CERTIFICATE-----
>         -----BEGIN DH PARAMETERS-----
>         GENERATED_DH_PARAMETERS_HERE
>         -----END DH PARAMETERS-----

Unless you are using static DH certificates (not RSA nor DSS, quite
rare), you don't really need the above in Apache httpd 2.4.7 and
earlier.
The ephemeral/anonymous DH ([EC]DHE, those providing perfect forward
secrecy) will be computed automatically from standardized DH primes
(parameters) whose size is based on the server certificate's modulus
(namely 2048/3072/4096/6144/8192, or still 1024 if the certificates is
a -not recommended- 1024 bits one).

>
> This has been noted in the httpd SSL FAQ documentation (https://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh)

This doc is hence only about (still) using 1024 bits DH even when the
certificate is 2048 bits (to address old JRE limits and preserve
compatibility).

>
>
> I am unable to find any documentation on this feature set for anything in the httpd 2.2.x branch including the 2.2.29 (current) release.
>
> I have attempted to use both of these methods in httpd 2.2.29, but have been unable to do so successfully.
>
> Are 2048-bit Diffie-Hellman groups supported in the Apache httpd 2.2.x branch?  Is it possible that this feature will be ported to the 2.2.x branch?  Has anyone already done so?

The good news is that this has been backported in the upcoming 2.2.30 (soon).
Not SSLOpenSSLConfCmd though, but you probably don't need it for this
purpose as explained above, 2048 bits or more [EC]DHE should work out
of the box.

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux