On Thu, 20 May 1999, Ralf S. Engelschall wrote:
>
> Ok, after a _very_ deep breath today, I've comitted the Diffie-Hellman/DSA
> support for mod_ssl. Puhhhhhh!
>
> When you remember, I've already started to prepare this complex change already
> in November(!) last year, but had to wait for a lot of things (mainly better
> DH/DSA support in OpenSSL) until its ready for release. Additionally the stuff
> needed really such a lot of months to survive my personal quality assurance,
> because the changes affected really lots of code in mod_ssl. That's why you
> had to wait such long...
>
> But now it's finished and really nice: One can connect to mod_ssl even with
> the EDH-DSS-DES-CBC3-SHA cipher and friends. I like this very much, although
> the popular browsers still doesn't support these ciphers, of course.
>
> Now that this DH/DSA support is an official part of mod_ssl and will be
> released with 2.3.0 the next week, I really would appreciate some testing in
> advance by the user community. So, when you want a stable 2.3.0 please
> contribute an hour and do the following:
>
> 1. You need a latest OpenSSL snapshot (mod_ssl 2.3.0 later will
> _require_ OpenSSL 0.9.3) from ftp://ftp.openssl.org/snapshot/, the latest
> mod_ssl snapshot from ftp://ftp.modssl.org/snapshot/ and Apache 1.3.6 from
> ftp://ftp.apache.org/dist/.
>
> 2. Follow the standard procedure for building an Apache+mod_ssl+OpenSSL
> based webserver.
>
> 3. Use "make certificate" to generate a RSA cert/key. Now use
> "make instalL" to install the package. Now again run "make certificate
> ALGO=DSA" to generate a second cert/key pair using the DSA algorithm. Copy
> over the conf/ssl.crt/server.crt to $prefix/etc/ssl.crt/server-dsa.crt and
> conf/ssl.key/server.key to $prefix/etc/ssl.key/server-dsa.key. Then add two
> _ADDITIONAL_ SSLCertificateFile and SSLCertificateKeyFile directives to the
> pre-configured $prefix/etc/httpd.conf file.
>
> 4. Try to access the server with RSA or DH ciphers. Especially
> things like
> $ (echo "GET $1 HTTP/1.0"; echo "Host: localhost:8443"; echo ""; sleep 2) |\
> openssl s_client -connect localhost:8443 -state -cipher EDH-DSS-DES-CBC3-SHA
> should now work!
>
> BTW, you don't need two cert/keys, of course. mod_ssl still allows you to run
> just RSA or just DSA cert/keys, of course. But then you can either use RSA or
> DH ciphers, of course... while with two cert/key pairs you can use all ciphers
> ;) But try it out, even a DSA-only server is now possible...
>
> Please give me feedback.
> Ralf S. Engelschall
> [EMAIL PROTECTED]
> www.engelschall.com
> ____________________________________________________________________
Looking forward to trying it. Thanks.
lin geng
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
