httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom <...@falkensweb.com>
Subject Re: [Bug 59087] DH parameters with too small prime lengths used with openssl < 1.0.2
Date Fri, 04 Mar 2016 18:21:21 GMT
Open SSL 1.0.1 is being retired at the end of the year, so changes are unlikely. 
-- 
Tom
Sent from my phone. 

On 4 March 2016 16:21:07 GMT+00:00, bugzilla@apache.org wrote:
>https://bz.apache.org/bugzilla/show_bug.cgi?id=59087
>
>Yann Ylavic <ylavic.dev@gmail.com> changed:
>
>           What    |Removed                     |Added
>----------------------------------------------------------------------------
>                 CC|                            |ylavic.dev@gmail.com
>
>--- Comment #10 from Yann Ylavic <ylavic.dev@gmail.com> ---
>(In reply to Björn Jacke from comment #9)
>> It is not possible to iterate once over the certs and use the
>strongest cert
>> for the DH param size calculation?
>
>We could do that, but it's quite complicated to work around an openssl
>limitation on older versions, and that may also "annoy" some other
>httpd
>user...
>Feel free to ask the openssl team to give the DH callback the correct
>private
>key in 1.0.1 (and earlier) since that would be the correct fix (don't
>know if
>that could break other usages, though).
>
>> 
>> But in any case: If we *know* that we mis-calculate the DH param size
>with
>> openssl 1.0.1,
>
>We know that we *can* mis-calculate the size with incorrect
>configuration,
>hence the change to a documentation PR.
>
>> then we should at least set the minimum DH param length to a
>> reasonable secure size. And 1024 is considered not secure these days.
>The
>> best solution then would be to increase the minimum DH param size
>e.g. to
>> 2048, wouldn't it? People who have interoperability issues with large
>DH
>> sizes because of Java clients or whatever can still set fixed DH
>parameters
>> as commented in ssl_engine_kernel.c already for the current (weak)
>1024
>> limit.
>
>You could also use your own DH params with the suitable size and that's
>it.
>There is no point to set 2048 DHs with 1024 certs, and we need the
>relevant
>cert to figure out...
>Why break existing configurations?
>
>-- 
>You are receiving this mail because:
>You are the assignee for the bug.
>---------------------------------------------------------------------
>To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
>For additional commands, e-mail: docs-help@httpd.apache.org

Mime
View raw message