httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hanno Böck <>
Subject Re: Diffie-Hellman parameter size does not match RSA signature size of SSL certificate
Date Tue, 03 Sep 2013 21:49:59 GMT
On Tue, 3 Sep 2013 10:34:18 -0700
David Lin-Shung Huang <> wrote:

> When using DHE cipher suites on an Apache HTTPS server, we noticed
> (via Wireshark) that the DHE key size (1024 bits) is smaller than our
> RSA signature key size (2048 bits nowadays). This seems to be the
> default behavior, and there are no options to correctly configure the
> DHE key size.
> The DHE modes are supposed to provide forward-secrecy. If a site
> choses to use a 2048-bit public-key in its cert it means that it
> considers a 1024-bit modulus insecure. One could make the argument
> that since the DH parameters are ephemeral they could be generated
> using a smaller security parameter, but that seems quite dangerous
> since it will not prevent a targeted attack on a specific session.

I've raised that topic last time in June. You're right and this really
worries me as many people today cry "let's use PFS" (which is
generally good), but this seriously threatens the security of PFS-modes.

There's an experimental patch to make DH parameters configurable:

(I have the 2.4.x-patch running on an experimental server and it works
for me)

Both in the bug report and in the thread in June there was zero feedback
from any of the apache devs.

Hanno Böck


View raw message