https://bz.apache.org/bugzilla/show_bug.cgi?id=65764
--- Comment #7 from Joe Orton <[email protected]> --- (In reply to Klemen Mihevc from comment #6) > (In reply to Joe Orton from comment #5) > > Customer DH parameters will be ignored since 2.4.52 if using > > "SSLOpenSSLConfCmd DHParameters", but will be respected if placing the > > params in the file referenced by SSLCertificateFile as Yann says. > > > > I think we should document the SSLOpenSSLConfCmd interface as > > less-supportable/stable since it can have unpredictable effects, you are > > effectively bypassing mod_ssl and configuring OpenSSL directly. > > Question is, in times where a lot of certificates are 90 days, should we > really CAT dhparam in to files on every certificate renew and shouldnt have > some sort of method where we can set it manually with seperate file? I also > understand RSA is technically slowly geting phased out, i technically only > need RSA certificate for ipsec & printer web interface and im using it for > other services just because i can use both (ECDSA/RSA) at the same time, but > still... > > It was more just, i noticed it stoped working during audit, didnt really > find anything in changelog so i reported a bug. Yeah sorry, it should have gone in CHANGES too I guess. There are two approaches that work: 1) rely on OpenSSL/mod_ssl automatic DH parameter selection. 2) use SSLCertificateFile to override. Why do you want custom DH parameters? OpenSSL also "discourages" applications from overriding the built-in parameter selection. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
