https://issues.apache.org/bugzilla/show_bug.cgi?id=49559
Summary: Patch to add user-specified Diffie-Hellman parameters
Product: Apache httpd-2
Version: 2.2.14
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
AssignedTo: [email protected]
ReportedBy: [email protected]
Created an attachment (id=25714)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25714)
Allow admin-choosen DH parameters for DHE enabled cipher-modes
In order to be EAL4+ validated for one of our customers, Apache needs to be
able to support 2048+ bits group size for Diffie-Hellman parameters. Right now,
temporary parameters are 512 and 1024 bits only.
We can still disallow DH at all, leaving only RSA for authentication and
pre-master secret encryption, but that's a suboptimal solution, as we then
loose forward secrecy.
Adding a 2048 bits DH temporary key into mod_ssl is not possible, since OpenSSL
would only ask for a 512/1024 bits one, depending on the "exportability" of the
choosen ciper-mode.
This patch adds a new configuration directive, "SSLDHParametersFile <file>",
allowing the administrator to supply its own Diffie-Hellman parameters
("openssl dhparam 2048 > dhparam2048.pem" to generate 2048 bits ones, for
example).
If this directive is specified and parameters are found in the supplied file,
then these parameters will be used whenever DHE is used to negociate the
pre-master secret. If this directive is not used, then it works like it does
now, leaving OpenSSL ask mod_ssl for a set of parameters of the desired size
(512 or 1024 bits).
We'd like this to be evaluated, discussed, and if possible, applied.
Regards.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
