DH parameter selection on httpd 2.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I'm running httpd 2.2.31 on Amazon Linux, and the docs for
SSLCertificateFile say:

"
Beginning with version 2.2.30, mod_ssl makes use of standardized DH
parameters with prime lengths of 2048, 3072, 4096, 6144 and 8192 bits
(from RFC 3526), and hands them out to clients based on the length of
the certificate's RSA/DSA key.
"

I have a 4096-bit RSA key and yet I'm not getting a 100% on SSL Labs'
SSL testing tool. That suggests that the DH parameter strength is less
than what I was expecting: 4096-bit (or equivalent).

How does httpd determine which DH primes to use based upon the RSA
key? The server's key is 4096-bit, but the issuer's key (in the chain)
is 2048-bit. Is that the reason SSL Test is not giving me full marks?

I'm trying to create a 4096-bit parameters file (to attach to the RSA
key chain), but it's taking a while so I figured I'd ask in the meantime
.

Thanks!

- -chris

PS I'll see some of you in Miami!
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY3WteAAoJEBzwKT+lPKRYn7oP/izQu232bxrNNvtjtrYT/u7B
fRgWALYU1S+Subp8gv809DB5nzcYyk5wjc+O8dqBzNFUjONfkAHKRrkTTaWQeqL2
u6bungrbmKmn1H/j547ZLDTI0CjE1ZeFyr/8NBGmJSf9MdVpCjaDZeptelnX63+z
Hd/jIdV3NV49KrWw0Pb7tuLH/SzoJ6y8M+tPJW7i4PO3e4lrPUDI8BTtB+8EUD+Y
exbFAXu/V8fzm/hLvR3cm/G85GkhwSIn91rTrBM10bHtIx6x+tCShC5lhXyWUSxV
rRZ7KsDAy6t2RO5PNyAUMvPq3h3y79AWsGAsATgiOpZH5P+4ChU4J/7JMV2XN2/6
aK7dM3VZXwYVmE4auRZPhA/D2YY9OOLDXPv7dsRcOM5Rehe29FgzVuFGIDFgEbS0
p88MB5pZwxllkCeIgEd+hIP42lp3/Gbz0kaJh/lZCiBuIHUovKO12llszhOnczBk
WMPLzWkewzQB4iEFbyldemNpHQvtK/jyigVNwUjVLfl7w+Fs2l4h0A1CFCYxZ9nh
s9EG53gHUwvz3+PQKr2nJkOev44SQiZAY77FLgTn9QoG7jPTU460BXO2IxG/qbSA
EkK4nvBFRWFSMQwu2RLzjlTKidFR7LDaBbIJ1Lk1cmEd7vnUQiFL1o3/Fg7SBgin
BpP3j8DlPtdHDI9BB+sy
=13zU
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux