httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 59087] DH parameters with too small prime lengths used with openssl < 1.0.2
Date Mon, 07 Mar 2016 19:44:03 GMT

--- Comment #11 from Luca Toscano <> ---
Hi Yann and Björn,

I would like to update mod_ssl's documentation with this use case but to be as
precise as possible I'd ask for an example of "good"/"bad" behavior (or maybe
Björn's complete use case if it can be disclosed). 

>From what I gathered:

SSlCertificateFile  "path_to_ECC_certificate.crt" 
SSLCertificateFile  "path_to_RSA_SSL_certificate1.crt" 

Issue: DH key exchange uses weak params for connections using the RSA cert (for
the authentication part).

Motivation: openssl < 1.0.2 lacks support for selecting the current certificate
when multiple ones are configured for the same context.

As you can see my understanding is not really marvelous, I haven't played
around ECC and at first sight this bug seems a bit strange to me (so it might
be the same for other people). 

Further question: is there any issue if a dh_param.pem is added and the order
is not the above one?   

Thanks and sorry for the extra work :)


You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message