httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Possible mod_ssl's backports to 2.2.x? (was: Looking ahead to 2.4.13 / 2.2.30)
Date Thu, 07 May 2015 08:47:35 GMT
On Tue, May 5, 2015 at 3:14 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>
>   *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
>      allowing custom parameters to be configured via SSLCertificateFile,
>      and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
>      Unless custom parameters are configured, the standardized parameters
>      are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]

I forgot to mention that this might potentially break some clients
(Java 7 and earlier only?), as noted in the docs/faq changes.
These expect 1024 bits DH params prime lengths whatever the
certificate's modulus' length is...
Should we have a special (2.2.x only?) directive to help mitigate the
possible regression (e.g. to force 1024 primes max only, default?), or
is the documented workaround enough (i.e. add dhparams in the
configured SSLCertificateFile)?

BTW, I proposed [1] for backport in r1678107, having tested the patch
successfully for [E[C]]DH, with certificates (modulus) >= 1024 bits,
and OpenSSL versions 0.9.7a, 0.9.8o, 1.0.1m and 1.0.2a.

[1] http://people.apache.org/~ylavic/httpd-2.2.x-mod_ssl-improved_EDH.patch

Mime
View raw message