httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: DH params and multiple certificates in one VHost
Date Sat, 19 Apr 2014 06:19:29 GMT
On 18.04.2014 23:19, Falco Schwarz wrote:
> On Fri, Apr 18, 2014 at 4:04 PM, Daniel Kahn Gillmor
> <>wrote:
>> Looking at the code, it appears that ssl_callback_TmpDH() in
>> modules/ssl/ssl_engine_kernel.c doesn't try to match ECC keys at all --
>> this probably needs to be updated.
> That was also my conclusion. It kinda makes sense that ECC keys are not
> matched, because there is no ECDSA+DH cipher.

Right, there are no cipher suites which use ECDSA for authentication and
ephemeral Diffie-Hellman keys (cf. "openssl ciphers -v aECDSA").

ssl_callback_TmpDH() is therefore irrelevant for the ECC case (it is
only called for DHE-* cipher suites, not for ECDHE-* ones). For
ephemeral ECDH, mod_ssl is relying on automatic curve selection, if
available (OpenSSL 1.0.2 or later), see also [1].

> However ssl_callback_TmpDH()
> would either have to iterate through all private keys or just read the
> first key in order to be consistent with DH / ECDH params.

The problem is the one pointed out by Steve in [2] already, I think: in
the callback, SSL_get_privatekey() doesn't get us the private key which
is actually used for the current connection, it only returns the
"current" key i.e. the last one we configured.

> Reindl, that is quite a good guide on how to setup certificates as of
> 2.4.9.

With one noteworthy exception: putting the private key into its own
SSLCertificateKeyFile is preferred over having it in SSLCertificateFile
(BTW, "Harald" would be the first name, I assume you didn't intend to
call him by his last name).




View raw message