-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
On 3/30/17 4:32 PM, Christopher Schultz wrote: > All, > > I'm running httpd 2.2.31 on Amazon Linux, and the docs for > SSLCertificateFile say: > > " Beginning with version 2.2.30, mod_ssl makes use of standardized > DH parameters with prime lengths of 2048, 3072, 4096, 6144 and 8192 > bits (from RFC 3526), and hands them out to clients based on the > length of the certificate's RSA/DSA key. " > > I have a 4096-bit RSA key and yet I'm not getting a 100% on SSL > Labs' SSL testing tool. That suggests that the DH parameter > strength is less than what I was expecting: 4096-bit (or > equivalent). > > How does httpd determine which DH primes to use based upon the RSA > key? The server's key is 4096-bit, but the issuer's key (in the > chain) is 2048-bit. Is that the reason SSL Test is not giving me > full marks? > > I'm trying to create a 4096-bit parameters file (to attach to the > RSA key chain), but it's taking a while so I figured I'd ask in the > meantime . I added my 4096-bit DH parameters to the end of my cert file, like this: - -----BEGIN CERTIFICATE----- [my RSA certificate] - -----END CERTIFICATE----- - -----BEGIN DH PARAMETERS----- [my DH parameters data] - -----END DH PARAMETERS----- and restarted httpd. When running SSL Labs' test, it tells me the following: cipher / key-exch / strength / forward-security TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits FS TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 4096 bits FS So it looks like the DH parameters are okay, but the EC RSA-bit-equiv is only 3072. Does this mean that I'd need to create an ecparam file to raise that RSA-bit-equiv even higher? Thanks, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJY3m0pAAoJEBzwKT+lPKRY+yEP/RoJD/UK7DtWRsklRqf7dnkK b1ISfV7+tbJokQ+i+gnBHeU+IXA70DLU0y5bjd82zEXfBJ4rwk0yhDXr2110PVjE reZz8C37NfXXCNXWJiSAfOOyEYJBzXQ8/hsrcbRTcDnetWvsXwZ09OIn7q/IDRvP 94W5LjtZM9FW0Obtcgrn2P/nQSPKIJlHAdZFgwVZkart1snRwAklQQ2kwX29Knyt h/ZZ1i5B31euZRrQsbTIYKkpCrfALi1eRQvmgGuW+Myjlj3M+Cr7Hw9uR73qKCAW 4cNrue+8DmYSDHwjAHbfcxqcEEJvgkfgBU3SuRdWrud/zwWlYhI2HxfGwoONK4Vo wGljRAcen3X8jebnkXj3v4QhToGmESFU2vBnxXpmDjo0pxMhSk2OzAYXdSTBtLL9 BjlrObQM5WAvyX0PjBAji+fD1Iz690jCbGJWqHfOeNIAlkDbVtjZE8fiNK0k57K8 dSjzLWDjDOAgC/rPc5SeFCAewcqcBDVAObfITKrm77c2hqHH6jOjWdNiZj/2Xg5d 6FUTC6VLlk/VULf8xK0WL27RaqwvOcExbrnbed4oLB+wmIw1uD47LFFAz9dmL+J4 RppIcIBcnXPvuaeXbZ227gkO/2ShSgPzH1oZm09UORMdbZw+Xwm8Gks/PcHQujMD UG8+nS4yiXV0VLkqMs2e =NUwP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
