As of httpd-2.4.7 the strength of DH temp keys is determined by the private
key's bit length. I recently noticed the following behavior (using
httpd-2.4.9 and openssl-1.0.2-beta2-dev):
I am using multiple certificates for one VHost (ECC and RSA):
SSLCertificateFile conf/ssl/example.org.ecc.cer
SSLCertificateKeyFile conf/ssl/example.org.ecc.key
SSLCertificateFile conf/ssl/example.org.rsa.cer
SSLCertificateKeyFile conf/ssl/example.org.rsa.key
If no DH params are specified in the first certificate, then the DH temp
key is dependent on the last private key's bit length, instead of the
first. So, if the ECC key is defined last, then the DH temp key will be
1024bit. If the RSA key is defined last, then the dh temp key will be
2048bit.
>From a users perspective it would be helpful if the DH temp key is always
associated with the first certificate, regardless whether dh params are
specified or not.
