httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: [users@httpd] ECC Curve Order Preference
Date Wed, 02 Sep 2015 12:22:15 GMT
On Wed, Sep 2, 2015 at 1:48 PM, Jason - <winpackjason@outlook.com> wrote:
> I have Ubuntu 15.04 with Apache 2.4.10 (OpenSSL 1.0.1f) and I would like to
> configure Apache ssl.conf specifically for "ECC Curve Order", as on Windows
> 10, where I select the preferred order of Elliptic Curves. I have two
> questions related to this:
>
> 1) On OpenSSL, how do I view the supported ECC Curves (eg. NISTp521,
> brainpool, etc.) of my system?

"openssl ecparam -list_curves" should do it.

>
> 2) On Apache, how do I configure (inside ssl.conf) the curve order? Can I
> also set it to follow a specific preference order? (I would prefer 1st
> P-521, 2st P-384, 3rd P-256, and not P-256 by default as my Apache does...)

With OpenSSL-1.0.2 and later, it is possible to use the
SSLOpenSSLConfCmd directive (see [1], eg. "SSLOpenSSLConfCmd Curves
P-521:P-384:...").

Since you use an earlier version, I think you can only change the
default curve by appending ecparams to the server's SSLCertificateFile
(see [2]).

Regards,
Yann.

[1] http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslopensslconfcmd
[2] http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message