I'd like to suggest that future version of mod_ssl and Apache-SSL
support the ephemeral Diffie-Hellman cipher suites, i.e. the ones
that SSLeay/OpenSSL calls EDH-..., such as DH-RSA-DES-CBC3-SHA, which
is officially known as follows:
CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x16 };
The proper way to do this, it seems, is to generate at start-up
not only a temporary RSA keys for export clients, but also temporary
DH parameters (or load them from a file), and to set
SSL_OP_SINGLE_DH_USE so that s3_srvr.c will use a fresh exponent for
each connection that uses a DHE cipher suite (this should really
be the default behaviour for SSLeay/OpenSSL). Or do mod_ssl and/or
Apache-SSL already support DHE (I'm too lazy to go through all of the
source code ...)? It seems not, because
$ openssl s_client -cipher EDH-RSA-DES-CBC3-SHA \
-port 443 -host www.apache-ssl.org
and
$ openssl s_client -cipher EDH-RSA-DES-CBC3-SHA \
-port 443 -host www.engelschall.com
both fail ("SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:458:"), whereas
$ openssl s_client -cipher EDH-RSA-DES-CBC3-SHA \
-port 443 -host www.c2net.com
works (the server in this case is Stronghold, obviously). The reason
to use DHE is that it provides forward secrecy, that is, some who
steals the server key cannot decipher earlier connections (unless
export ciphers with easy-to-crack 40 bit encryption were used); so it
would be really nice to have this in Apache-SSL and mod_ssl (enabled
by default).
By the way, does someone know which cipher suites the new version of
Microsoft's Internet Explorer (US version) suppports? The DHE cipher
suites aren't of much use unless clients support them, obviously --
Netscape Navigator unfortunately does not yet (but there's
SafePassage), what about Opera?
Bodo M"oller
<[EMAIL PROTECTED]>
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
