httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom <>
Subject Re: [Bug 59087] DH parameters with too small prime lengths used with openssl < 1.0.2
Date Fri, 04 Mar 2016 18:21:21 GMT
Open SSL 1.0.1 is being retired at the end of the year, so changes are unlikely. 
Sent from my phone. 

On 4 March 2016 16:21:07 GMT+00:00, wrote:
>Yann Ylavic <> changed:
>           What    |Removed                     |Added
>                 CC|                            |
>--- Comment #10 from Yann Ylavic <> ---
>(In reply to Björn Jacke from comment #9)
>> It is not possible to iterate once over the certs and use the
>strongest cert
>> for the DH param size calculation?
>We could do that, but it's quite complicated to work around an openssl
>limitation on older versions, and that may also "annoy" some other
>Feel free to ask the openssl team to give the DH callback the correct
>key in 1.0.1 (and earlier) since that would be the correct fix (don't
>know if
>that could break other usages, though).
>> But in any case: If we *know* that we mis-calculate the DH param size
>> openssl 1.0.1,
>We know that we *can* mis-calculate the size with incorrect
>hence the change to a documentation PR.
>> then we should at least set the minimum DH param length to a
>> reasonable secure size. And 1024 is considered not secure these days.
>> best solution then would be to increase the minimum DH param size
>e.g. to
>> 2048, wouldn't it? People who have interoperability issues with large
>> sizes because of Java clients or whatever can still set fixed DH
>> as commented in ssl_engine_kernel.c already for the current (weak)
>> limit.
>You could also use your own DH params with the suitable size and that's
>There is no point to set 2048 DHs with 1024 certs, and we need the
>cert to figure out...
>Why break existing configurations?
>You are receiving this mail because:
>You are the assignee for the bug.
>To unsubscribe, e-mail:
>For additional commands, e-mail:

View raw message