Re: DH params and multiple certificates in one VHost

Fri, 18 Apr 2014 07:27:39 -0700 

Am 18.04.2014 14:34, schrieb Falco Schwarz:
> As of httpd-2.4.7 the strength of DH temp keys is determined by the private 
> key's bit length. I recently noticed
> the following behavior (using httpd-2.4.9 and openssl-1.0.2-beta2-dev):
> 
> I am using multiple certificates for one VHost (ECC and RSA):
> 
>     SSLCertificateFile     conf/ssl/example.org.ecc.cer
>     SSLCertificateKeyFile  conf/ssl/example.org.ecc.key
>     SSLCertificateFile     conf/ssl/example.org.rsa.cer
>     SSLCertificateKeyFile  conf/ssl/example.org.rsa.key
> 
> If no DH params are specified in the first certificate, then the DH temp key 
> is dependent on the last private key's
> bit length, instead of the first. So, if the ECC key is defined last, then 
> the DH temp key will be 1024bit. If the
> RSA key is defined last, then the dh temp key will be 2048bit.
> 
> From a users perspective it would be helpful if the DH temp key is always 
> associated with the first certificate

from a users perspective you should avoid multiple certs
with recent httpd releases you can place *all* in one

below the structure of our wildcard-cert-file
whereever i have to specify a certificate or key it's the
same single file and in fact you no longer need some config
params at all with a PEM file built that way

* our certificate
* our key
* GoDaddy intermediate certificate 1
* GoDaddy intermediate certificate 2
* ecc params
* dh params

if you have a 3072 or 4096 RSA key as recommended you should also
consider set the DH params for older browsers not supporting ECDHE
to 2048 bit, otherwise you break at least Firefox 1 - Firefox 3

#!/bin/bash
openssl ecparam -out /data/pki/ec.pem -name prime256v1
openssl gendh -out /data/pki/dh.pem -2 2048
cat /data/pki/ec.pem /data/pki/dh.pem > /data/pki/ecdh_params.pem
rm -f /data/pki/ec.pem
rm -f /data/pki/dh.pem
chown root:root /data/pki/*.pem
chmod 400 /data/pki/*.pem

cat your.crt your.key ca-crt-1 ca-crt-2 /data/pki/ecdh_params.pem > 
your-new-file.pem
___________________________________________________________________________

FYI:
GoDaddy has 3 certs in their package and one should according
to https://www.ssllabs.com/ssltest/ not be included because
it contains the anchor and is marked as chain issue

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN EC PARAMETERS-----
-----END EC PARAMETERS-----
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to