On 26 May 2015, at 09:37, Reindl Harald <h.rei...@thelounge.net> wrote: > > > Am 26.05.2015 um 10:33 schrieb Rainer Jung: >> Current mod_ssl code tries to read embedded DH and ECC parameters only from >> the first certificate file. Although this is documented >> >> "DH and ECDH parameters, however, are only read from the first >> SSLCertificateFile directive, as they are applied independently of the >> authentication algorithm type." >> >> I find it questionable. I would find it more natural to embed the params in >> the cert files they apply to, so e.g. the DH params in the RSA cert file and >> the EC params in the ECDH cert file and also to not require a special order >> for the files which at the end we do not check. Since missing the embedded >> params goes unnoticed (finding them is only a DEBUG log line) it is not very >> user friendly > > honestly it would be much more user friendly to have a own parameter for that > which would make it easy to regenerate the params via cronjobs without > touching the PEM file containing the real certificate and private key
With that kind of directive it would also leave flexibility for this kind of thing: DHParamsEC /tmp/example DHParamsEC none DHParamsEC auto (that last case – I'm imagining that httpd generates the D-H parameters at each startup, blocking use of ECDH until generation is complete). -- Tim Bannister – is...@c8h10n4o2.org.uk
