httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <>
Subject Re: mod_ssl: Reading dhparams and ecparams not only from the first certificate file
Date Tue, 26 May 2015 08:37:58 GMT

Am 26.05.2015 um 10:33 schrieb Rainer Jung:
> Current mod_ssl code tries to read embedded DH and ECC parameters only
> from the first certificate file. Although this is documented
> "DH and ECDH parameters, however, are only read from the first
> SSLCertificateFile directive, as they are applied independently of the
> authentication algorithm type."
> I find it questionable. I would find it more natural to embed the params
> in the cert files they apply to, so e.g. the DH params in the RSA cert
> file and the EC params in the ECDH cert file and also to not require a
> special order for the files which at the end we do not check. Since
> missing the embedded params goes unnoticed (finding them is only a DEBUG
> log line) it is not very user friendly

honestly it would be much more user friendly to have a own parameter for 
that which would make it easy to regenerate the params via cronjobs 
without touching the PEM file containing the real certificate and 
private key

View raw message