httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: mod_ssl: Reading dhparams and ecparams not only from the first certificate file
Date Tue, 26 May 2015 08:37:58 GMT

Am 26.05.2015 um 10:33 schrieb Rainer Jung:
> Current mod_ssl code tries to read embedded DH and ECC parameters only
> from the first certificate file. Although this is documented
>
> "DH and ECDH parameters, however, are only read from the first
> SSLCertificateFile directive, as they are applied independently of the
> authentication algorithm type."
>
> I find it questionable. I would find it more natural to embed the params
> in the cert files they apply to, so e.g. the DH params in the RSA cert
> file and the EC params in the ECDH cert file and also to not require a
> special order for the files which at the end we do not check. Since
> missing the embedded params goes unnoticed (finding them is only a DEBUG
> log line) it is not very user friendly

honestly it would be much more user friendly to have a own parameter for 
that which would make it easy to regenerate the params via cronjobs 
without touching the PEM file containing the real certificate and 
private key


Mime
View raw message