httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1527296 - in /httpd/httpd/trunk/docs/manual: mod/mod_ssl.html.en ssl/ssl_faq.html.en
Date Sun, 29 Sep 2013 10:41:52 GMT
Author: kbrand
Date: Sun Sep 29 10:41:52 2013
New Revision: 1527296

URL: http://svn.apache.org/r1527296
Log:
update transformations for mod_ssl and ssl_faq

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
    httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en?rev=1527296&r1=1527295&r2=1527296&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en Sun Sep 29 10:41:52 2013
@@ -568,12 +568,33 @@ SSLCertificateChainFile /usr/local/apach
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
 </table>
 <p>
-This directive points to the PEM-encoded Certificate file for the server and
-optionally also to the corresponding RSA or DSA Private Key file for it
-(contained in the same file). If the contained Private Key is encrypted the
-Pass Phrase dialog is forced at startup time. This directive can be used up to
-three times (referencing different filenames) when both a RSA, a DSA, and an
-ECC based server certificate is used in parallel.</p>
+This directive points to the file with the PEM-encoded certificate,
+optionally also the corresponding private key, and - beginning with
+version 2.5.0-dev as of 2013-09-29 - DH parameters and/or an EC curve name
+for ephemeral keys (as generated by <code>openssl dhparam</code>
+and <code>openssl ecparam</code>, respectively). If the private key
+is encrypted, the pass phrase dialog is forced at startup time.
+</p>
+<p>
+This directive can be used up to three times (referencing different filenames)
+when both an RSA, a DSA, and an ECC based server certificate is used in
+parallel. Note that DH and ECDH parameters are only read from the first
+<code class="directive">SSLCertificateFile</code> directive.</p>
+
+<div class="note">
+<h3>DH parameter interoperability with primes &gt; 1024 bit</h3>
+<p>
+Beginning with version 2.5.0-dev as of 2013-09-29, mod_ssl makes use of
+standardized DH parameters with prime lengths of 2048, 3072 and 4096 bits
+(from <a href="http://www.ietf.org/rfc/rfc3526.txt">RFC 3526</a>), and hands
+them out to clients based on the length of the certificate's RSA/DSA key.
+With Java-based clients in particular (Java 7 or earlier), this may lead
+to handshake failures - see this
+<a href="../ssl/ssl_faq.html#javadh">FAQ answer</a> for working around
+such issues.
+</p>
+</div>
+
 <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
 SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
 </pre>
@@ -715,6 +736,15 @@ prefixes are:</p>
 <li><code>-</code>: remove cipher from list (can be added later again)</li>
 <li><code>!</code>: kill cipher from list completely (can <strong>not</strong>
be added later again)</li>
 </ul>
+
+<div class="note">
+<h3><code>aNULL</code>, <code>eNULL</code> and <code>EXP</code>
+ciphers are always disabled</h3>
+<p>Beginning with version 2.5.0-dev as of 2013-09-25, null and export-grade
+ciphers are always disabled, as mod_ssl unconditionally prepends any supplied
+cipher suite string with <code>!aNULL:!eNULL:!EXP:</code> at initialization.</p>
+</div>
+
 <p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
 -v</code>'' command which provides a nice way to successively create the
 correct <em>cipher-spec</em> string. The default <em>cipher-spec</em>
string

Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en?rev=1527296&r1=1527295&r2=1527296&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en Sun Sep 29 10:41:52 2013
@@ -524,6 +524,8 @@ Does this mean the username/password is 
 <li><a href="#msie">Why do I get I/O errors when connecting via
 HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer
 (MSIE)?</a></li>
+<li><a href="#srp">How do I enable TLS-SRP?</a></li>
+<li><a href="#javadh">Why do I get handshake failures with Java-based clients
when using a certificate with more than 1024 bits?</a></li>
 </ul>
 
 <h3><a name="random" id="random">Why do I get lots of random SSL protocol
@@ -746,6 +748,37 @@ SetEnvIf User-Agent "MSIE [2-5]" \
     </code></p></div>
 
 
+<h3><a name="javadh" id="javadh">Why do I get handshake failures with Java-based
clients when using a certificate with more than 1024 bits?</a></h3>
+    <p>Beginning with version 2.5.0-dev as of 2013-09-29,
+    <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>
will use DH parameters which include primes
+    with lengths of more than 1024 bits. Java 7 and earlier limit their
+    support for DH prime sizes to a maximum of 1024 bits, however.</p>
+
+    <p>If your Java-based client aborts with exceptions such as
+    <code>java.lang.RuntimeException: Could not generate DH keypair</code> and
+    <code>java.security.InvalidAlgorithmParameterException: Prime size must be
+    multiple of 64, and can only range from 512 to 1024 (inclusive)</code>,
+    and httpd logs <code>tlsv1 alert internal error (SSL alert number 80)</code>
+    (at <code class="directive"><a href="../mod/core.html#loglevel">LogLevel</a></code>
<code>info</code>
+    or higher), you can either rearrange mod_ssl's cipher list with
+    <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code>
+    (possibly in conjunction with <code class="directive"><a href="../mod/mod_ssl.html#sslhonorcipherorder">SSLHonorCipherOrder</a></code>),
+    or you can use the <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></code>
+    directive to configure custom DH parameters with a 1024-bit prime, which
+    will always have precedence over any of the built-in DH parameters.</p>
+
+    <p>To generate custom DH parameters, use the <code>openssl dhparam</code>
+    command. Alternatively, you can append the following standard 1024-bit DH
+    parameters from <a href="http://www.ietf.org/rfc/rfc2409.txt">RFC 2409</a>,
+    section 6.2 to the respective
+    <code class="directive"><a href="../mod/ssl.html#sslcertificatefile">SSLCertificateFile</a></code>
file:</p>
+    <div class="example"><pre>-----BEGIN DH PARAMETERS-----
+MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR
+Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
+/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
+-----END DH PARAMETERS-----</pre></div>
+
+
 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
 <div class="section">
 <h2><a name="support" id="support">mod_ssl Support</a></h2>



Mime
View raw message