httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 59087] DH parameters with too small prime lengths used with openssl < 1.0.2
Date Mon, 07 Mar 2016 19:44:03 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=59087

--- Comment #11 from Luca Toscano <toscano.luca@gmail.com> ---
Hi Yann and Björn,

I would like to update mod_ssl's documentation with this use case but to be as
precise as possible I'd ask for an example of "good"/"bad" behavior (or maybe
Björn's complete use case if it can be disclosed). 

>From what I gathered:
--------------------
Good:

SSlCertificateFile  "path_to_ECC_certificate.crt" 
SSLCertificateFile  "path_to_RSA_SSL_certificate1.crt" 

Issue: DH key exchange uses weak params for connections using the RSA cert (for
the authentication part).

Motivation: openssl < 1.0.2 lacks support for selecting the current certificate
when multiple ones are configured for the same context.
---------------------

As you can see my understanding is not really marvelous, I haven't played
around ECC and at first sight this bug seems a bit strange to me (so it might
be the same for other people). 

Further question: is there any issue if a dh_param.pem is added and the order
is not the above one?   

Thanks and sorry for the extra work :)

Luca

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message