httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Falco Schwarz <hid...@falco.me>
Subject DH params and multiple certificates in one VHost
Date Fri, 18 Apr 2014 12:34:33 GMT
As of httpd-2.4.7 the strength of DH temp keys is determined by the private
key's bit length. I recently noticed the following behavior (using
httpd-2.4.9 and openssl-1.0.2-beta2-dev):

I am using multiple certificates for one VHost (ECC and RSA):

    SSLCertificateFile     conf/ssl/example.org.ecc.cer
    SSLCertificateKeyFile  conf/ssl/example.org.ecc.key
    SSLCertificateFile     conf/ssl/example.org.rsa.cer
    SSLCertificateKeyFile  conf/ssl/example.org.rsa.key

If no DH params are specified in the first certificate, then the DH temp
key is dependent on the last private key's bit length, instead of the
first. So, if the ECC key is defined last, then the DH temp key will be
1024bit. If the RSA key is defined last, then the dh temp key will be
2048bit.

>From a users perspective it would be helpful if the DH temp key is always
associated with the first certificate, regardless whether dh params are
specified or not.

Mime
View raw message