httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <>
Subject Re: [users@httpd] SSLOpenSSLConfCmd DHParameters and 2048-bit groups in Apache httpd 2.2.29 (current)
Date Fri, 22 May 2015 21:45:43 GMT
On Fri, May 22, 2015 at 11:08 PM, karl karloff <> wrote:
> Apache httpd 2.4.8+ (including 2.4.12 -- current) appear to have support for this using
the a configuration entry similar to this one:
>         SSLOpenSSLConfCmd DHParameters "/PATH/dhparams.pem"
> It has also been reported that Apache httpd 2.4.7+ can support this by appending the
DH PARAMETERS to the end of the ssl certificate file, e.g.:
>         -----BEGIN CERTIFICATE-----
>         -----END CERTIFICATE-----
>         -----BEGIN DH PARAMETERS-----
>         -----END DH PARAMETERS-----

Unless you are using static DH certificates (not RSA nor DSS, quite
rare), you don't really need the above in Apache httpd 2.4.7 and
The ephemeral/anonymous DH ([EC]DHE, those providing perfect forward
secrecy) will be computed automatically from standardized DH primes
(parameters) whose size is based on the server certificate's modulus
(namely 2048/3072/4096/6144/8192, or still 1024 if the certificates is
a -not recommended- 1024 bits one).

> This has been noted in the httpd SSL FAQ documentation (

This doc is hence only about (still) using 1024 bits DH even when the
certificate is 2048 bits (to address old JRE limits and preserve

> I am unable to find any documentation on this feature set for anything in the httpd 2.2.x
branch including the 2.2.29 (current) release.
> I have attempted to use both of these methods in httpd 2.2.29, but have been unable to
do so successfully.
> Are 2048-bit Diffie-Hellman groups supported in the Apache httpd 2.2.x branch?  Is it
possible that this feature will be ported to the 2.2.x branch?  Has anyone already done so?

The good news is that this has been backported in the upcoming 2.2.30 (soon).
Not SSLOpenSSLConfCmd though, but you probably don't need it for this
purpose as explained above, 2048 bits or more [EC]DHE should work out
of the box.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message