Ok, after a _very_ deep breath today, I've comitted the Diffie-Hellman/DSA support for mod_ssl. Puhhhhhh! When you remember, I've already started to prepare this complex change already in November(!) last year, but had to wait for a lot of things (mainly better DH/DSA support in OpenSSL) until its ready for release. Additionally the stuff needed really such a lot of months to survive my personal quality assurance, because the changes affected really lots of code in mod_ssl. That's why you had to wait such long... But now it's finished and really nice: One can connect to mod_ssl even with the EDH-DSS-DES-CBC3-SHA cipher and friends. I like this very much, although the popular browsers still doesn't support these ciphers, of course. Now that this DH/DSA support is an official part of mod_ssl and will be released with 2.3.0 the next week, I really would appreciate some testing in advance by the user community. So, when you want a stable 2.3.0 please contribute an hour and do the following: 1. You need a latest OpenSSL snapshot (mod_ssl 2.3.0 later will _require_ OpenSSL 0.9.3) from ftp://ftp.openssl.org/snapshot/, the latest mod_ssl snapshot from ftp://ftp.modssl.org/snapshot/ and Apache 1.3.6 from ftp://ftp.apache.org/dist/. 2. Follow the standard procedure for building an Apache+mod_ssl+OpenSSL based webserver. 3. Use "make certificate" to generate a RSA cert/key. Now use "make instalL" to install the package. Now again run "make certificate ALGO=DSA" to generate a second cert/key pair using the DSA algorithm. Copy over the conf/ssl.crt/server.crt to $prefix/etc/ssl.crt/server-dsa.crt and conf/ssl.key/server.key to $prefix/etc/ssl.key/server-dsa.key. Then add two _ADDITIONAL_ SSLCertificateFile and SSLCertificateKeyFile directives to the pre-configured $prefix/etc/httpd.conf file. 4. Try to access the server with RSA or DH ciphers. Especially things like $ (echo "GET $1 HTTP/1.0"; echo "Host: localhost:8443"; echo ""; sleep 2) |\ openssl s_client -connect localhost:8443 -state -cipher EDH-DSS-DES-CBC3-SHA should now work! BTW, you don't need two cert/keys, of course. mod_ssl still allows you to run just RSA or just DSA cert/keys, of course. But then you can either use RSA or DH ciphers, of course... while with two cert/key pairs you can use all ciphers ;) But try it out, even a DSA-only server is now possible... Please give me feedback. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
