Am 30.01.2014 15:19, schrieb Uri Shachar: > On Thu, 30 Jan 2014 14:47:10 +0100 Reindl Harald wrote: > snip... >> one remaining issue currently is that DHE/ECDHE seems not to be supported >> while httpd/openssl with the same environment do > snip... > > Added in 4.2.0 - Check out https://issues.apache.org/jira/browse/TS-2372
cool - thanks! hopefully the same way as httpd starting with 2.4.7 http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile > DH parameter interoperability with primes > 1024 bit > Beginning with version 2.4.7, mod_ssl makes use of standardized DH parameters > with prime lengths of 2048, 3072 and 4096 bits (from RFC 3526), and hands them > out to clients based on the length of the certificate's RSA/DSA key. With > Java-based > clients in particular (Java 7 or earlier), this may lead to handshake > failures - > see this FAQ answer for working around such issues. means that if you have a RSA3072 DH-params are 3072, the same for 4096 etc. and if someone want to control that he can add params to the used PEM file and it could look like below containg all TSL relevant params/keys/certs [root@testserver:~]$ cat conf/ssl/testserver.rhsoft.net.pem -----BEGIN CERTIFICATE----- *snip* -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- *snip* -----END PRIVATE KEY----- -----BEGIN DH PARAMETERS----- MIIBiAKCAYEAsprp4BdLI4Vo8JcsJbu6/UJK+udAl3C1sHrBahXXdVxt6ArjbktI up5BfGoiBfj28K0DiGSdXvnpDemaiJd29X+M7+XvJN6px0EP54aU+2Y+LeceI5WK FBokp1wQFVG0f6ccNlXvoLec1iQLog+ygDT5m25yGKjfHTpRgJovoi5Jwoqtl0H+ XQ32oHh3/8IA1CjoWDkuHJGEWX6z26W9dTn9U4t9e0dIL+ulX6cQfkkJDSzwBgEs y9jimihp73zu7hAIu/zNBMFWYswbZ4Z5SA1wENNRsO3nmBCekCjfKp0MuEJGQ/xx U2Hrcd6UAPwTEjuWmBOi/DlAPQyLbTVDinBDfoZHsrl1Je1Hxwix4nsLsml0NoDw i0jzihtOCoKiTuP7BWemZy2eKOqcRnu764bcFp8/l3klKWpuOH6Vd/7rfoe/FzQR 8M8b5lTGTktjVPhZaRLe9lrHkVCa7MnPdHBK/JHvGBHsvGFQur4oQm5culCeQAxq 0C/m6ck3xYTLAgEC -----END DH PARAMETERS----- -----BEGIN EC PARAMETERS----- BgUrgQQAIg== -----END EC PARAMETERS-----
signature.asc
Description: OpenPGP digital signature
