Hi, I went on and cloned the OpenSSL 1.0.2 repository, compiled it, and did some checks.
Turns out you were correct, when using DH, the parameter is now 2048: Server Temp Key: DH, 2048 bits As compared to 2.4.6: Server Temp Key: DH, 1024 bits Following the documentation, I added 1024-bit DH parameters to the SSL certificate configuration file, and poof: Server Temp Key: DH, 1024 bits And also: HTTP OK: Status line output matched "200" - 19091 bytes in 0.022 second response time |time=0.022378s;2.000000;3.000000;0.000000 size=19091B;;;0 I agree that this is less secure, but on the other hand, ECDHE is way ahead of DHE in our cipher list, so this would probably not impact end users after all. Since Java <= 7 is still having a lot of problems with keys larger than 1024 bits (and we've seen this happen, since our automated tests are run in Java), downgrading to 1024 will fix the issues, and we can upgrade to 2.4.7 again. Many thanks for your help! Cedric On 21/02/2014 13:02, Jeff Trawick wrote: > Including d...@httpd.apache.org... > > Is anybody else seeing the same behavior? Looking at the documentation, 2.4.7 > has gained some performance improvements, but I'm seeing something different > on > my end.____ > Perhaps it's the increased DH parameter size? If it has increased from 1024 bits to 2048 that would have a significant effect. OpenSSL 1.0.2 s_client can help check this, if you do: openssl s_client -connect www.host.com:443 it says (among lots of other stuff): Server Temp Key: DH, xxxx bits Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
