On Fri, Apr 18, 2014 at 4:04 PM, Daniel Kahn Gillmor <d...@fifthhorseman.net>wrote:
> Looking at the code, it appears that ssl_callback_TmpDH() in > modules/ssl/ssl_engine_kernel.c doesn't try to match ECC keys at all -- > this probably needs to be updated. > That was also my conclusion. It kinda makes sense that ECC keys are not matched, because there is no ECDSA+DH cipher. However ssl_callback_TmpDH() would either have to iterate through all private keys or just read the first key in order to be consistent with DH / ECDH params. Reindl, that is quite a good guide on how to setup certificates as of 2.4.9. Unfortunately you are describing what changed concerning certificate chains, I was talking about different algorithms for server authentication. I guess that was not exactly clear from my description, sorry. Either way, you cannot mix ECC and RSA keys in one file, you have to use multiple SSLCertificate[Key]File directives, see [1]. [1] http://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslcertificatefile