On 19.04.2014 09:37, Falco Schwarz wrote:
I successfully tested your attached patch with the latest 1.0.2
branch. The DH temp key now has the bit length of the used RSA key,
regardless of SSLCertificate[Key]File order.
Thanks for testing. Committed to trunk with r1588851 and proposed for
On 18.04.2014 23:19, Falco Schwarz wrote:
On Fri, Apr 18, 2014 at 4:04 PM, Daniel Kahn Gillmor
d...@fifthhorseman.netwrote:
Looking at the code, it appears that ssl_callback_TmpDH() in
modules/ssl/ssl_engine_kernel.c doesn't try to match ECC keys at all --
this probably needs to be updated.
On Sat, Apr 19, 2014 at 8:19 AM, Kaspar Brand httpd-dev.2...@velox.ch wrote:
The problem is the one pointed out by Steve in [2] already, I think: in
the callback, SSL_get_privatekey() doesn't get us the private key which
is actually used for the current connection, it only returns the
current
On 19.04.2014 09:00, Falco Schwarz wrote:
that OpenSSL actually returns the private key used by the connection.
I just noticed [1], so you might want to try the attached (but untested)
patch with 1.0.2-beta1 at least (beware of CVE-2014-0160 though, later
versions preferred).
Kaspar
[1]
I successfully tested your attached patch with the latest 1.0.2
branch. The DH temp key now has the bit length of the used RSA key,
regardless of SSLCertificate[Key]File order.
Thank you, Kaspar.
On Sat, Apr 19, 2014 at 9:11 AM, Kaspar Brand httpd-dev.2...@velox.ch wrote:
On 19.04.2014 09:00,
On 04/18/2014 08:34 AM, Falco Schwarz wrote:
As of httpd-2.4.7 the strength of DH temp keys is determined by the private
key's bit length. I recently noticed the following behavior (using
httpd-2.4.9 and openssl-1.0.2-beta2-dev):
I am using multiple certificates for one VHost (ECC and RSA):
Am 18.04.2014 14:34, schrieb Falco Schwarz:
As of httpd-2.4.7 the strength of DH temp keys is determined by the private
key's bit length. I recently noticed
the following behavior (using httpd-2.4.9 and openssl-1.0.2-beta2-dev):
I am using multiple certificates for one VHost (ECC and RSA):
On Fri, Apr 18, 2014 at 4:04 PM, Daniel Kahn Gillmor
d...@fifthhorseman.netwrote:
Looking at the code, it appears that ssl_callback_TmpDH() in
modules/ssl/ssl_engine_kernel.c doesn't try to match ECC keys at all --
this probably needs to be updated.
That was also my conclusion. It kinda