On 04/18/2014 08:34 AM, Falco Schwarz wrote: > As of httpd-2.4.7 the strength of DH temp keys is determined by the private > key's bit length. I recently noticed the following behavior (using > httpd-2.4.9 and openssl-1.0.2-beta2-dev): > > I am using multiple certificates for one VHost (ECC and RSA): > > SSLCertificateFile conf/ssl/example.org.ecc.cer > SSLCertificateKeyFile conf/ssl/example.org.ecc.key > SSLCertificateFile conf/ssl/example.org.rsa.cer > SSLCertificateKeyFile conf/ssl/example.org.rsa.key > > If no DH params are specified in the first certificate, then the DH temp > key is dependent on the last private key's bit length, instead of the > first. So, if the ECC key is defined last, then the DH temp key will be > 1024bit.
This sounds like a mistake, unless you're using a remarkably small ECC
key. The goal of basing the DH parameters on the size of the server's
public key should be to match the cryptographic strength of the key
exchange with the cryptographic strength of the server's public key
authentication.
If the server's ECC key is a 256-bit ECC key, that is (roughly)
equivalent to a 128 bits symmetric cipher.
A comparable discrete log Diffie-Hellman group should have a modulus of
3248 bits, according to ECRYPT [0].
Looking at the code, it appears that ssl_callback_TmpDH() in
modules/ssl/ssl_engine_kernel.c doesn't try to match ECC keys at all --
this probably needs to be updated.
--dkg
[0] page 30 of http://www.ecrypt.eu.org/documents/D.SPA.20.pdf
signature.asc
Description: OpenPGP digital signature
