https://bz.apache.org/bugzilla/show_bug.cgi?id=65764
Bug ID: 65764
Summary: Setting custom DH parameters
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
I have set custom DH parameters value with SSLOpenSSLConfCmd DHParameters
/etc/ssl/misc/ffdhe4096.pem, but this doesnt work anymore, not sure when it
stopped working, because im doing audit of a system once every few months/half
a year, but it definitly does not anymore, it uses 2048bit key right now, not
sure where it gets it.
also according to this: https://httpd.apache.org/docs/trunk/mod/mod_ssl.html
there is not option anymore to set DHParameters with SSLOpenSSLConfCmd and
advice is to add it to the certificate file?! I suspect because leaf
certificate in SSLCertificateFile is 2048bit it uses that key... i saw some
suggestion from years ago (2016) to set all ssl certificates/private keys with
SSLOpenSSLConfCmd, but there isnt any different result and yes im using
combined ECDSA/RSA certificates/ciphers
relevant config is:
SSLEngine On
SSLStaplingCache shmcb:/run/stapling_cache(32768)
SSLOpenSSLConfCmd DHParameters /etc/ssl/misc/ffdhe4096.pem
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite
"EECDH+AES256+AESGCM:EECDH+CHACHA20:EECDH+AES128+AESGCM:EDH+AES256+AESGCM:EDH+CHACHA20:EDH+AES128+AESGCM:EECDH+AES256+SHA384:EECDH+AES128+SHA256:EDH+AES256+SHA256:EDH+AES128+SHA256"
SSLHonorCipherOrder On
SSLCertificateFile /etc/acme-sh/domain.net_ecc/fullchain.cer
SSLCertificateKeyFile /etc/acme-sh/domain.net_ecc/mihgroup.net.key
SSLCertificateFile /etc/acme-sh/domain.net/fullchain.cer
SSLCertificateKeyFile /etc/acme-sh/domain.net/mihgroup.net.key
SSLUseStapling On
SSLSessionTickets Off
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
