Am 26.05.2015 um 10:33 schrieb Rainer Jung:
Current mod_ssl code tries to read embedded DH and ECC parameters only from the first certificate file. Although this is documented"DH and ECDH parameters, however, are only read from the first SSLCertificateFile directive, as they are applied independently of the authentication algorithm type." I find it questionable. I would find it more natural to embed the params in the cert files they apply to, so e.g. the DH params in the RSA cert file and the EC params in the ECDH cert file and also to not require a special order for the files which at the end we do not check. Since missing the embedded params goes unnoticed (finding them is only a DEBUG log line) it is not very user friendly
honestly it would be much more user friendly to have a own parameter for that which would make it easy to regenerate the params via cronjobs without touching the PEM file containing the real certificate and private key
signature.asc
Description: OpenPGP digital signature
