https://bz.apache.org/bugzilla/show_bug.cgi?id=59087
--- Comment #9 from Björn Jacke <bjo...@j3e.de> --- It is not possible to iterate once over the certs and use the strongest cert for the DH param size calculation? But in any case: If we *know* that we mis-calculate the DH param size with openssl 1.0.1, then we should at least set the minimum DH param length to a reasonable secure size. And 1024 is considered not secure these days. The best solution then would be to increase the minimum DH param size e.g. to 2048, wouldn't it? People who have interoperability issues with large DH sizes because of Java clients or whatever can still set fixed DH parameters as commented in ssl_engine_kernel.c already for the current (weak) 1024 limit. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
