You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Falco Schwarz <hi...@falco.me> on 2014/02/19 18:30:46 UTC

DH params and multiple certificates

As of svn.apache.org/r1527295 standardized DH parameters were added to mod_ssl. If I understand docs correctly, the bit length is based on the RSA/DSA key. With the recent support of multiple certificates per VirtualHost it is possible to use an RSA and ECC certificate.

When using RSA and ECC, the DH bit length is dependent on the certificate configured last, so:

- if ECC is configured last, 1024 bit DH params are set (minimum)
- if RSA is configured last, the DH params depend on the private keys bit length (it works)

The ECC certificate should in any way be skipped and not taken into account when setting DH params.

Re: DH params and multiple certificates

Posted by Kaspar Brand <ht...@velox.ch>.

On 20.02.2014 04:06, Dr Stephen Henson wrote:
> On 19/02/2014 17:30, Falco Schwarz wrote:
>> The ECC certificate should in any way be skipped and not taken into account when setting DH params. 		 	   		  
>>
> 
> I think that's a consequence of how SSL_get_certificate works. You get the
> current certificate which is not necessarily the one the server actually uses.

When adapting the code in ssl_engine_kernel:ssl_callback_TmpDH(), I was
indeed making the assumption that the latter is true. Seems like that
was too implicit, as I realize that the exact behavior of
SSL_get_privatekey isn't documented.

> No ciphersuites exist using ephemeral DH and ECDSA.

Which means that adjusting the DH parameters in ssl_callback_TmpDH() is
harmless, currently (though it should be avoided, I agree).

> We should probably have a way to set the current certificate in OpenSSL to the
> one the server used.

Could ssl_lib.c:ssl_get_server_send_pkey be adapted to ensure this?

Kaspar

Re: DH params and multiple certificates

Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.

On 19/02/2014 17:30, Falco Schwarz wrote:
> As of svn.apache.org/r1527295 standardized DH parameters were added to mod_ssl. If I understand docs correctly, the bit length is based on the RSA/DSA key. With the recent support of multiple certificates per VirtualHost it is possible to use an RSA and ECC certificate.
> 
> When using RSA and ECC, the DH bit length is dependent on the certificate configured last, so:
> 
> - if ECC is configured last, 1024 bit DH params are set (minimum)
> - if RSA is configured last, the DH params depend on the private keys bit length (it works)
> 
> The ECC certificate should in any way be skipped and not taken into account when setting DH params. 		 	   		  
> 

I think that's a consequence of how SSL_get_certificate works. You get the
current certificate which is not necessarily the one the server actually uses.

Ugly workaround for ephemeral DH ciphersuites... if the cipher is of the form
*-RSA-* it's the RSA certificate and *-DSS-* it's the DSA one. No ciphersuites
exist using ephemeral DH and ECDSA.

We should probably have a way to set the current certificate in OpenSSL to the
one the server used.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com