On 28/06/2013 10:31, Rob Stradling wrote: > How about making ECDH parameters configurable from within Apache too? >
The current technique of hard coding the ECDH parameters isn't correct but it's the best release versions of OpenSSL can do. The unreleased OpenSSL 1.0.2 can be configured to use the client's supported curve list extension to automatically use the highest preference curve. Optionally server curve preferences can be set too. OpenSSL 1.0.2 also includes some generalised configuration code which means any application which uses the SSL configuration API (there is provisional code for this in 2.5-dev) can be configured using the SSLOpenSSLConfCmd directive. ECDH curves (and many other things) can be set this way. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
