httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael A. Peters" <>
Subject Re: [users@httpd] DH^H^H EC parameter selection on httpd 2.2
Date Sat, 01 Apr 2017 00:59:13 GMT
On 03/31/2017 07:52 AM, Christopher Schultz wrote:
> Hash: SHA256
> All,
> On 3/30/17 4:32 PM, Christopher Schultz wrote:
>> All,
>> I'm running httpd 2.2.31 on Amazon Linux, and the docs for
>> SSLCertificateFile say:
>> " Beginning with version 2.2.30, mod_ssl makes use of standardized
>> DH parameters with prime lengths of 2048, 3072, 4096, 6144 and 8192
>> bits (from RFC 3526), and hands them out to clients based on the
>> length of the certificate's RSA/DSA key. "
>> I have a 4096-bit RSA key and yet I'm not getting a 100% on SSL
>> Labs' SSL testing tool. That suggests that the DH parameter
>> strength is less than what I was expecting: 4096-bit (or
>> equivalent).
>> How does httpd determine which DH primes to use based upon the RSA
>> key? The server's key is 4096-bit, but the issuer's key (in the
>> chain) is 2048-bit. Is that the reason SSL Test is not giving me
>> full marks?
>> I'm trying to create a 4096-bit parameters file (to attach to the
>> RSA key chain), but it's taking a while so I figured I'd ask in the
>> meantime .
> I added my 4096-bit DH parameters to the end of my cert file, like this:
> [my RSA certificate]
> - -----END CERTIFICATE-----
> [my DH parameters data]
> - -----END DH PARAMETERS-----
> and restarted httpd.
> When running SSL Labs' test, it tells me the following:
> cipher / key-exch / strength / forward-security
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq.
> 3072 bits RSA)   FS
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq.
> 3072 bits RSA)   FS
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 4096 bits   FS
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 4096 bits   FS
> So it looks like the DH parameters are okay, but the EC RSA-bit-equiv
> is only 3072.
> Does this mean that I'd need to create an ecparam file to raise that
> RSA-bit-equiv even higher?

Do not worry about getting 100% on all four of the SSL Labs tests.

2048-bit DHE primes are not going to cracked anytime soon.

If you want to get 100% in all four of their testing areas it can be 
done but it requires an ECDSA cert with a very limited number of TLS 1.2 
ciphers that only support 256-bit ECDHE. (one of my 

But in practice 2048-bit RSA cert is secure.

Rather than attempting to get 100% in all four of their metrics, strive 
to get a A+ rating with only a handful (less than 10) ciphers that all 
support forward secrecy.

When all of your ciphers support forward secrecy, then the server 
private/public key is only used for hostname authentication, not 
encryption. 2048-bit RSA most certainly is good enough for that, 
especially if you generate a new private key once a year.

With respect to forward secrecy, make sure your ECDHE ciphers are listed 
first so that clients that support them will use them, and clients that 
don't support ECDHE will still be able to use the DHE ciphers.

I tend to use the following on servers with RSA certs:

SSLHonorCipherOrder on

It doesn't get me 100% on all four of the checks but I still get an A+ 
rating and know the server is secure, with a 2048-bit RSA cert and 2048 
DH parameters.

Using RSA > 2048-bit and DH params > 2048-bit results in more work for 
the server and the client without any real world benefit.

Yes technically harder to break, but if I can only jump 10 feet then a 
50 foot moat is just as effective as a 100 foot moat.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message