-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
I'm running httpd 2.2.31 on Amazon Linux, and the docs for SSLCertificateFile say: " Beginning with version 2.2.30, mod_ssl makes use of standardized DH parameters with prime lengths of 2048, 3072, 4096, 6144 and 8192 bits (from RFC 3526), and hands them out to clients based on the length of the certificate's RSA/DSA key. " I have a 4096-bit RSA key and yet I'm not getting a 100% on SSL Labs' SSL testing tool. That suggests that the DH parameter strength is less than what I was expecting: 4096-bit (or equivalent). How does httpd determine which DH primes to use based upon the RSA key? The server's key is 4096-bit, but the issuer's key (in the chain) is 2048-bit. Is that the reason SSL Test is not giving me full marks? I'm trying to create a 4096-bit parameters file (to attach to the RSA key chain), but it's taking a while so I figured I'd ask in the meantime . Thanks! - -chris PS I'll see some of you in Miami! -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJY3WteAAoJEBzwKT+lPKRYn7oP/izQu232bxrNNvtjtrYT/u7B fRgWALYU1S+Subp8gv809DB5nzcYyk5wjc+O8dqBzNFUjONfkAHKRrkTTaWQeqL2 u6bungrbmKmn1H/j547ZLDTI0CjE1ZeFyr/8NBGmJSf9MdVpCjaDZeptelnX63+z Hd/jIdV3NV49KrWw0Pb7tuLH/SzoJ6y8M+tPJW7i4PO3e4lrPUDI8BTtB+8EUD+Y exbFAXu/V8fzm/hLvR3cm/G85GkhwSIn91rTrBM10bHtIx6x+tCShC5lhXyWUSxV rRZ7KsDAy6t2RO5PNyAUMvPq3h3y79AWsGAsATgiOpZH5P+4ChU4J/7JMV2XN2/6 aK7dM3VZXwYVmE4auRZPhA/D2YY9OOLDXPv7dsRcOM5Rehe29FgzVuFGIDFgEbS0 p88MB5pZwxllkCeIgEd+hIP42lp3/Gbz0kaJh/lZCiBuIHUovKO12llszhOnczBk WMPLzWkewzQB4iEFbyldemNpHQvtK/jyigVNwUjVLfl7w+Fs2l4h0A1CFCYxZ9nh s9EG53gHUwvz3+PQKr2nJkOev44SQiZAY77FLgTn9QoG7jPTU460BXO2IxG/qbSA EkK4nvBFRWFSMQwu2RLzjlTKidFR7LDaBbIJ1Lk1cmEd7vnUQiFL1o3/Fg7SBgin BpP3j8DlPtdHDI9BB+sy =13zU -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
