httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael A. Peters" <mpet...@domblogger.net>
Subject [users@httpd] DH Parameters
Date Tue, 08 Sep 2015 20:41:37 GMT
Apache 2.4.16 built against LibreSSL 2.2.3 on x86_64 Linux

There is an old patch to Apache :

https://bz.apache.org/bugzilla/show_bug.cgi?id=49559

It provided a new directive

SSLDHParametersFile /path/to/dh2048.pem

The patch no longer applies and even if I could make it apply and build 
I'm not confident I could do it safely.

The current method with apache is to apply the DH parameters to the 
certificate, which I find distasteful - or to use the

SSLOpenSSLConfCmd

directive, but that requires OpenSSL 1.0.2 and appears to be a new API 
feature not in LibreSSL, which is only API compatible with OpenSSL 1.0.1.

What I would like to do is throw a script in /etc/cron.weekly/ that once 
a week does a regeneration of the DH parameters and reloads apache.

I can do that with Postfix etc. easy enough, but not with Apache, not 
unless the script manipulates the TLS certificate file which I really 
don't see as wise or the way things should be done.

Is anyone aware of a current patch to Apache that does something similar 
to that old patch?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message