Re: How to use DH 4096 parameters?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi William,

I’m confused where the DH 3072 comes from. My question is, what should I configure so that DH 4096 is sent?

Is your DH file actually 4096 bits? ;)

It appears to be so when i look at the dhparams.pem file:

openssl dhparam -inform PEM -in /etc/apache2/dhparam.pem  -check -text
    DH Parameters: (4096 bit)
        prime: 
            00:ff:ff:ff:ff:ff:ff:ff:ff:ad:f8:54:58:a2:bb:
            [...]
        generator: 2 (0x2)
WARNING: the g value is not a generator

Does Apache have a setting similar to tune.ssl.default-dh-param in HAProxy, maybe?

I found on https://httpd.apache.org/docs/current/mod/mod_ssl.html: Beginning with version 2.4.7, mod_ssl makes use of standardized DH parameters with prime lengths of 2048, 3072 and 4096 bits and with additional prime lengths of 6144 and 8192 bits beginning with version 2.4.10 (from RFC 3526), and hands them out to clients based on the length of the certificate's RSA/DSA key.

That’s why I thought, if I use a 4096 bit key, it all would end well, but I guess I was wrong…

Cheers,
WH

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux