Hi Gustav, Well put. Me too.
Thank you for the explanation re DH Params. All is well. Thank you. Thorpe > On Jul 28, 2021, at 14:00, Gustaf Neumann <neum...@wu.ac.at> wrote: > > Hi Thorpe, > > On 27.07.21 14:42, THORPE MAYES via naviserver-devel wrote: >> This issue surfaced when I was creating a new ssl certificate. The old >> certificate expires at the end of the month. >> The old certificate continued to work after I updated naviserver (with >> openssl 1.1k). The new certificate did not work. >> The old certificate has the Diffie-Hellmand key exchange applied. >> I applied the DH key exchange via openssl: openssl dhparam 2048 >> server.pem >> The version of openssl installed at the time predated 1.1k. I believe that >> it was 1.1.i; it may have been an earlier version. >> >> I decided to not apply the DH Param to the new certificate. The new >> certificate now works. > Short answer: glad it works now. > > Specifying DH Params in the .pem file should not be needed in newer versions > of OpenSSL. > > The DH parameters should not hurt in general either. I checked the > (letsencrypt) certificate used on openacs.org. The pemfile contains DH > parameters and has the following structure: > -----BEGIN PRIVATE KEY----- > ... > -----END PRIVATE KEY----- > -----BEGIN CERTIFICATE----- > ... > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- > ... > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- > ... > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- > ... > -----END CERTIFICATE----- > -----BEGIN DH PARAMETERS----- > ... > -----END DH PARAMETERS----- > and everything works fine there. > > Handling of DH parameter is a moving target in OpenSSL (and clones). In newer > versions, OpenSSL defines SSL_CTX_set_dh_auto(), such that DH PARAMETERS are > not needed anymore in the PEM file. Some of the this code was backported to > earlier version of OpenSSL. When NaviServer is compiled with OpenSSL 1.1.* or > newer, it uses this function. So, i am not completely sure, what the problem > is you had, but version-wise, DH PARAMETERS should not be necessary in your > setup. > > I've also updated the log message of the server when certificate loading > fails, ... since these messages were also confusing for me. > all the best > > -g > > _______________________________________________ > naviserver-devel mailing list > naviserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
