httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From olli hauer <oha...@gmx.de>
Subject Re: Upcoming 2.2.x any chance to include the following fixes/additions
Date Mon, 25 May 2015 20:42:55 GMT
On 2015-05-24 23:25, Rainer Jung wrote:
> Am 24.05.2015 um 23:08 schrieb olli hauer:
>> Hi,
>>
>> is there a chance to get the following revisions merged to 2.2.x
>> - r1551685, r1652929 (fix IPv4 mapping on FreeBSD)
>>
>>
>> In ssl_engine_dh.c there are calls to generate dh512 and dh1012,
>> perhaps it is also an idea to drop dh512 and add dh2048 or higher.
>>
>> -system("openssl gendh $rand -out dh512.pem 512");
>> -system("openssl gendh $rand -out dh1024.pem 1024");
>> +system("openssl gendh $rand -out dh1024.pem 1024");
>> +system("openssl gendh $rand -out dh2048.pem 2048");
> 
> I wonder whether we should instead remove that whole embedded perl script. An improvement
was ported back from 2.4 to 2.2 that means you can simply include the "openssl dhparam" output
in the certificate file. In addition by default the next 2.2 will also choose a prime length
corresponding to the RSA key length in the certificate. So in most cases user should be just
fine. If admins want to tune, they can by generating params and appending them to the cert
file.
> 
> What do you think: is there still a need for this embedded perl script?

In my opinion the perl part is no longer required with the new code.

As a side note, running perl against ssl_engine_dh.c will change the type from
- static const unsigned char dh$num_p[]
+ static unsigned char dh$num_p[]


-- 
olli

Mime
View raw message