Am 26.05.2015 um 11:00 schrieb Tim Bannister:
On 26 May 2015, at 09:37, Reindl Harald <h.rei...@thelounge.net> wrote:
Am 26.05.2015 um 10:33 schrieb Rainer Jung:
Current mod_ssl code tries to read embedded DH and ECC parameters only from the
first certificate file. Although this is documented
"DH and ECDH parameters, however, are only read from the first
SSLCertificateFile directive, as they are applied independently of the
authentication algorithm type."
I find it questionable. I would find it more natural to embed the params in the
cert files they apply to, so e.g. the DH params in the RSA cert file and the EC
params in the ECDH cert file and also to not require a special order for the
files which at the end we do not check. Since missing the embedded params goes
unnoticed (finding them is only a DEBUG log line) it is not very user friendly
honestly it would be much more user friendly to have a own parameter for that
which would make it easy to regenerate the params via cronjobs without touching
the PEM file containing the real certificate and private key
With that kind of directive it would also leave flexibility for this kind of
thing:
DHParamsEC /tmp/example
DHParamsEC none
DHParamsEC auto
(that last case – I'm imagining that httpd generates the D-H parameters at each
startup, blocking use of ECDH until generation is complete).
I think the way forward is SSLOpenSSLConfCmd which tries to get rid of
one new mod_ssl directive per new OpenSSL feature. But that is 1.0.2
only. So for a transitory phase we need something else and at least me
I'm happy, that you can already configure the params (by embedding in
the cert file).
Regards,
Rainer
