Am 24.05.2015 um 23:08 schrieb olli hauer:
Hi,
is there a chance to get the following revisions merged to 2.2.x
- r1551685, r1652929 (fix IPv4 mapping on FreeBSD)
In ssl_engine_dh.c there are calls to generate dh512 and dh1012,
perhaps it is also an idea to drop dh512 and add dh2048 or higher.
-system("openssl gendh $rand -out dh512.pem 512");
-system("openssl gendh $rand -out dh1024.pem 1024");
+system("openssl gendh $rand -out dh1024.pem 1024");
+system("openssl gendh $rand -out dh2048.pem 2048");
I wonder whether we should instead remove that whole embedded perl
script. An improvement was ported back from 2.4 to 2.2 that means you
can simply include the "openssl dhparam" output in the certificate file.
In addition by default the next 2.2 will also choose a prime length
corresponding to the RSA key length in the certificate. So in most cases
user should be just fine. If admins want to tune, they can by generating
params and appending them to the cert file.
What do you think: is there still a need for this embedded perl script?
PS:
on my local 2.2.x test system 'ab.c' from 2.4.13 build fine, perhaps
this is also a candidate for a next 2.2.x release.
Probably a bit to late for now. We are heading for a release real soon.
But thanks for the heads up.
Regards,
Rainer
