httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 49559] New: Patch to add user-specified Diffie-Hellman parameters
Date Tue, 06 Jul 2010 13:12:42 GMT

           Summary: Patch to add user-specified Diffie-Hellman parameters
           Product: Apache httpd-2
           Version: 2.2.14
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl

Created an attachment (id=25714)
 --> (
Allow admin-choosen DH parameters for DHE enabled cipher-modes

In order to be EAL4+ validated for one of our customers, Apache needs to be
able to support 2048+ bits group size for Diffie-Hellman parameters. Right now,
temporary parameters are 512 and 1024 bits only.

We can still disallow DH at all, leaving only RSA for authentication and
pre-master secret encryption, but that's a suboptimal solution, as we then
loose forward secrecy.

Adding a 2048 bits DH temporary key into mod_ssl is not possible, since OpenSSL
would only ask for a 512/1024 bits one, depending on the "exportability" of the
choosen ciper-mode.

This patch adds a new configuration directive, "SSLDHParametersFile <file>",
allowing the administrator to supply its own Diffie-Hellman parameters
("openssl dhparam 2048 > dhparam2048.pem" to generate 2048 bits ones, for
If this directive is specified and parameters are found in the supplied file,
then these parameters will be used whenever DHE is used to negociate the
pre-master secret. If this directive is not used, then it works like it does
now, leaving OpenSSL ask mod_ssl for a set of parameters of the desired size
(512 or 1024 bits).

We'd like this to be evaluated, discussed, and if possible, applied.


Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message