Open SSL 1.0.1 is being retired at the end of the year, so changes are unlikely. -- Tom Sent from my phone.
On 4 March 2016 16:21:07 GMT+00:00, bugzi...@apache.org wrote: >https://bz.apache.org/bugzilla/show_bug.cgi?id=59087 > >Yann Ylavic <ylavic....@gmail.com> changed: > > What |Removed |Added >---------------------------------------------------------------------------- > CC| |ylavic....@gmail.com > >--- Comment #10 from Yann Ylavic <ylavic....@gmail.com> --- >(In reply to Björn Jacke from comment #9) >> It is not possible to iterate once over the certs and use the >strongest cert >> for the DH param size calculation? > >We could do that, but it's quite complicated to work around an openssl >limitation on older versions, and that may also "annoy" some other >httpd >user... >Feel free to ask the openssl team to give the DH callback the correct >private >key in 1.0.1 (and earlier) since that would be the correct fix (don't >know if >that could break other usages, though). > >> >> But in any case: If we *know* that we mis-calculate the DH param size >with >> openssl 1.0.1, > >We know that we *can* mis-calculate the size with incorrect >configuration, >hence the change to a documentation PR. > >> then we should at least set the minimum DH param length to a >> reasonable secure size. And 1024 is considered not secure these days. >The >> best solution then would be to increase the minimum DH param size >e.g. to >> 2048, wouldn't it? People who have interoperability issues with large >DH >> sizes because of Java clients or whatever can still set fixed DH >parameters >> as commented in ssl_engine_kernel.c already for the current (weak) >1024 >> limit. > >You could also use your own DH params with the suitable size and that's >it. >There is no point to set 2048 DHs with 1024 certs, and we need the >relevant >cert to figure out... >Why break existing configurations? > >-- >You are receiving this mail because: >You are the assignee for the bug. >--------------------------------------------------------------------- >To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org >For additional commands, e-mail: docs-h...@httpd.apache.org
