thanks, applied to my rpmbuild and verified with ECDHE calomel ssl validation in Firefox is happy with that and 88% (until FF27 enables AES-GCM which leads to 100%)
without PFS it classifies the security with a red "weak" Am 30.01.2014 16:59, schrieb Thomas Berger: > Here is a working Patch against 4.1.2, should also work on 4.1.3. > > Backportet from the 4.2.0 tree. > > Am Donnerstag, 30. Januar 2014, 15:38:07 schrieb Reindl Harald: >> Am 30.01.2014 15:19, schrieb Uri Shachar: >>> On Thu, 30 Jan 2014 14:47:10 +0100 Reindl Harald wrote: >>> snip... >>> >>>> one remaining issue currently is that DHE/ECDHE seems not to be supported >>>> while httpd/openssl with the same environment do >>> >>> snip... >>> >>> Added in 4.2.0 - Check out https://issues.apache.org/jira/browse/TS-2372 >> >> cool - thanks! >> >> hopefully the same way as httpd starting with 2.4.7 >> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile >> >>> DH parameter interoperability with primes > 1024 bit >>> Beginning with version 2.4.7, mod_ssl makes use of standardized DH >>> parameters with prime lengths of 2048, 3072 and 4096 bits (from RFC >>> 3526), and hands them out to clients based on the length of the >>> certificate's RSA/DSA key. With Java-based clients in particular (Java 7 >>> or earlier), this may lead to handshake failures - see this FAQ answer >>> for working around such issues. >> >> means that if you have a RSA3072 DH-params are 3072, the same for 4096 etc. >> and if someone want to control that he can add params to the used PEM file >> and it could look like below containg all TSL relevant params/keys/certs >> >> [root@testserver:~]$ cat conf/ssl/testserver.rhsoft.net.pem >> -----BEGIN CERTIFICATE----- >> *snip* >> -----END CERTIFICATE----- >> -----BEGIN PRIVATE KEY----- >> *snip* >> -----END PRIVATE KEY----- >> -----BEGIN DH PARAMETERS----- >> MIIBiAKCAYEAsprp4BdLI4Vo8JcsJbu6/UJK+udAl3C1sHrBahXXdVxt6ArjbktI >> up5BfGoiBfj28K0DiGSdXvnpDemaiJd29X+M7+XvJN6px0EP54aU+2Y+LeceI5WK >> FBokp1wQFVG0f6ccNlXvoLec1iQLog+ygDT5m25yGKjfHTpRgJovoi5Jwoqtl0H+ >> XQ32oHh3/8IA1CjoWDkuHJGEWX6z26W9dTn9U4t9e0dIL+ulX6cQfkkJDSzwBgEs >> y9jimihp73zu7hAIu/zNBMFWYswbZ4Z5SA1wENNRsO3nmBCekCjfKp0MuEJGQ/xx >> U2Hrcd6UAPwTEjuWmBOi/DlAPQyLbTVDinBDfoZHsrl1Je1Hxwix4nsLsml0NoDw >> i0jzihtOCoKiTuP7BWemZy2eKOqcRnu764bcFp8/l3klKWpuOH6Vd/7rfoe/FzQR >> 8M8b5lTGTktjVPhZaRLe9lrHkVCa7MnPdHBK/JHvGBHsvGFQur4oQm5culCeQAxq >> 0C/m6ck3xYTLAgEC >> -----END DH PARAMETERS----- >> -----BEGIN EC PARAMETERS----- >> BgUrgQQAIg== >> -----END EC PARAMETERS-----
signature.asc
Description: OpenPGP digital signature
