Stefan Fritsch <sf <at> sfritsch.de> writes: > It is also possible to > load custom DH params from the SSLCertificateFile, but AFAICS this > needs to be done for each vhost.
That sounds like an option, but isn’t available in wheezy yet ☹ but if you’re going to ship it via wheezy-security… great! Michael Stone <mstone <at> debian.org> writes: > You can mitigate it right now by reconfiguring your server to remove DH > ciphers from SSLCipherSuite. That’s throwing the baby out with the bathwater and removing the ability to use PFS with clients that do not use ECC, for whatever reason (any discussing these reasons is off-topic). So, no. Bad advice, actually, which should not be given. bye, //mirabilos
