[Bug 65764] New: Setting custom DH parameters

Thu, 23 Dec 2021 05:19:19 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=65764

            Bug ID: 65764
           Summary: Setting custom DH parameters
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: so...@outlook.com
  Target Milestone: ---

I have set custom DH parameters value with SSLOpenSSLConfCmd DHParameters
/etc/ssl/misc/ffdhe4096.pem, but this doesnt work anymore, not sure when it
stopped working, because im doing audit of a system once every few months/half
a year, but it definitly does not anymore, it uses 2048bit key right now, not
sure where it gets it.


also according to this: https://httpd.apache.org/docs/trunk/mod/mod_ssl.html

there is not option anymore to set DHParameters with SSLOpenSSLConfCmd and
advice is to add it to the certificate file?! I suspect because leaf
certificate in SSLCertificateFile is 2048bit it uses that key... i saw some
suggestion from years ago (2016) to set all ssl certificates/private keys with
SSLOpenSSLConfCmd, but there isnt any different result and yes im using
combined ECDSA/RSA certificates/ciphers

relevant config is:
SSLEngine On
SSLStaplingCache shmcb:/run/stapling_cache(32768)
SSLOpenSSLConfCmd DHParameters /etc/ssl/misc/ffdhe4096.pem
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite
"EECDH+AES256+AESGCM:EECDH+CHACHA20:EECDH+AES128+AESGCM:EDH+AES256+AESGCM:EDH+CHACHA20:EDH+AES128+AESGCM:EECDH+AES256+SHA384:EECDH+AES128+SHA256:EDH+AES256+SHA256:EDH+AES128+SHA256"
SSLHonorCipherOrder On
SSLCertificateFile /etc/acme-sh/domain.net_ecc/fullchain.cer
SSLCertificateKeyFile /etc/acme-sh/domain.net_ecc/mihgroup.net.key
SSLCertificateFile /etc/acme-sh/domain.net/fullchain.cer
SSLCertificateKeyFile /etc/acme-sh/domain.net/mihgroup.net.key
SSLUseStapling On
SSLSessionTickets Off

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

Reply via email to