Hi RĂ©mi! On Thu, Jun 12, 2014 at 03:24:13PM +0200, Remi Gacogne wrote: > > Hi everyone, > > After good remarks from Willy and Emeric, here is a new version of the > previous patch, including the following changes: > > - tune.ssl.default-dh-param does not accept a value of less than 1024 > anymore ; > - a comment explaining why we use the certificate key size and not the > keylen value supplied by OpenSSL in the EDH callback has been added ; > - we don't use OpenSSL's private constants but rather the cipher name to > determine if at least one cipher using an ephemeral diffie-hellman key > exchange is in use ; > - the warning indicating that tune.ssl-default-dh-param is not set could > have been displayed even if static DH parameters were supplied in the > certificate file. This has now been fixed.
That's really nice, I've just applied it with Emeric's approval. Thanks! Willy