httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1734077 - /httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.html.en
Date Tue, 08 Mar 2016 13:18:58 GMT
Author: elukey
Date: Tue Mar  8 13:18:58 2016
New Revision: 1734077

Documentation rebuild


Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.html.en
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.html.en (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.html.en Tue Mar  8 13:18:58 2016
@@ -599,7 +599,8 @@ to support multiple algorithms for serve
 RSA, DSA, and ECC. The number of supported algorithms depends on the
 OpenSSL version being used for mod_ssl: with version 1.0.0 or later,
 <code>openssl list-public-key-algorithms</code> will output a list
-of supported algorithms.
+of supported algorithms, see also the note below about limitations
+of OpenSSL versions prior to 1.0.2 and the ways to work around them.
@@ -649,6 +650,33 @@ such issues.
+<div class="note">
+<h3>Default DH parameters when using multiple certificates and OpenSSL
+versions prior to 1.0.2</h3>
+When using multiple certificates to support different authentication algorithms
+(like RSA, DSA, but mainly ECC) and OpenSSL prior to 1.0.2, it is recommended
+to either use custom DH parameters (preferably) by adding them to the
+first certificate file (as described above), or to order the
+<code class="directive">SSLCertificateFile</code> directives such that RSA/DSA
+certificates are placed <strong>after</strong> the ECC one.
+This is due to a limitation in older versions of OpenSSL which don't let the
+Apache HTTP Server determine the currently selected certificate at handshake
+time (when the DH parameters must be sent to the peer) but instead always
+provide the last configured certificate. Consequently, the server may select
+default DH parameters based on the length of the wrong certificate's key (ECC
+keys are much smaller than RSA/DSA ones and their length is not relevant for
+selecting DH primes).
+Since custom DH parameters always take precedence over the default ones, this
+issue can be avoided by creating and configuring them (as described above),
+thus using a custom/suitable length.
 <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCertificateFile
@@ -1074,7 +1102,7 @@ certificate being validated references a
 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server
config, virtual host</td></tr>
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available
in httpd 2.5 and later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available
in httpd 2.4.19 and later</td></tr>
 <p>This option allows to set the URL of a HTTP proxy that should be used for
 all queries to OCSP responders.</p>

View raw message