On 19.04.2014 09:37, Falco Schwarz wrote:
> I successfully tested your attached patch with the latest 1.0.2
> branch. The DH temp key now has the bit length of the used RSA key,
> regardless of SSLCertificate[Key]File order.
Thanks for testing. Committed to trunk with r1588851 and proposed for
bac
I successfully tested your attached patch with the latest 1.0.2
branch. The DH temp key now has the bit length of the used RSA key,
regardless of SSLCertificate[Key]File order.
Thank you, Kaspar.
On Sat, Apr 19, 2014 at 9:11 AM, Kaspar Brand wrote:
> On 19.04.2014 09:00, Falco Schwarz wrote:
>>
On 19.04.2014 09:00, Falco Schwarz wrote:
> that OpenSSL actually returns the private key used by the connection.
I just noticed [1], so you might want to try the attached (but untested)
patch with 1.0.2-beta1 at least (beware of CVE-2014-0160 though, later
versions preferred).
Kaspar
[1]
https
On Sat, Apr 19, 2014 at 8:19 AM, Kaspar Brand wrote:
> The problem is the one pointed out by Steve in [2] already, I think: in
> the callback, SSL_get_privatekey() doesn't get us the private key which
> is actually used for the current connection, it only returns the
> "current" key i.e. the last
On 18.04.2014 23:19, Falco Schwarz wrote:
> On Fri, Apr 18, 2014 at 4:04 PM, Daniel Kahn Gillmor
> wrote:
>
>> Looking at the code, it appears that ssl_callback_TmpDH() in
>> modules/ssl/ssl_engine_kernel.c doesn't try to match ECC keys at all --
>> this probably needs to be updated.
>>
>
> That w
On Fri, Apr 18, 2014 at 4:04 PM, Daniel Kahn Gillmor
wrote:
> Looking at the code, it appears that ssl_callback_TmpDH() in
> modules/ssl/ssl_engine_kernel.c doesn't try to match ECC keys at all --
> this probably needs to be updated.
>
That was also my conclusion. It kinda makes sense that ECC ke
Am 18.04.2014 14:34, schrieb Falco Schwarz:
> As of httpd-2.4.7 the strength of DH temp keys is determined by the private
> key's bit length. I recently noticed
> the following behavior (using httpd-2.4.9 and openssl-1.0.2-beta2-dev):
>
> I am using multiple certificates for one VHost (ECC and R
On 04/18/2014 08:34 AM, Falco Schwarz wrote:
> As of httpd-2.4.7 the strength of DH temp keys is determined by the private
> key's bit length. I recently noticed the following behavior (using
> httpd-2.4.9 and openssl-1.0.2-beta2-dev):
>
> I am using multiple certificates for one VHost (ECC and RS
As of httpd-2.4.7 the strength of DH temp keys is determined by the private
key's bit length. I recently noticed the following behavior (using
httpd-2.4.9 and openssl-1.0.2-beta2-dev):
I am using multiple certificates for one VHost (ECC and RSA):
SSLCertificateFile conf/ssl/example.org.ec
