© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
Created attachment 30804
PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and 2.4.x)
I'm fine with the idea, but the implementation in the patches submitted so far is too complex, in my opinion (in particular the SSL_read_DHparams stuff, which tries to support/read three different formats).
Here is an alternative proposal:
- only support PEM-formatted parameters (-----BEGIN DH PARAMETERS---- / -----END DH PARAMETERS-----)
- use the existing SSLCertificateFile directive to support per-vhost, custom DHE and ECDHE parameters
Attached is a - lightly tested - proof of concept, to be applied to either trunk or 2.4.x... testing and feedback welcome. To specify EC curve names, append the output of "openssl ecparam -name secp521r1" or your favorite curve to SSLCertificateFile (of course the docs for SSLCertificateFile would have to be extended, if there is a general agreement on taking this approach).