(In reply to Erwann Abalea from comment #9)
> This function is similar to SSL_read_X509 and SSL_read_PrivateKey defined in
> the same file, and used by the module to read the corresponding objects.
Perhaps this is an opportunity to clean up some mod_ssl cruft... I just took an extended proposal to the mailing list, to stir some further discussion:
Additionally, I think we should consider to use 2048-bit DH parameters by default if the cert's RSA/DSA key is 2048 bits or more (so that sysadmin's don't have to generate their custom DH parameters to get more than 1024 bits for DHE). Changing this by default is probably debatable, and therefore another reason I'm taking it to the list.
(In reply to Erwann Abalea from comment #9)
> This function is similar to SSL_read_X509 and SSL_read_PrivateKey defined in
> the same file, and used by the module to read the corresponding objects.
Perhaps this is an opportunity to clean up some mod_ssl cruft... I just took an extended proposal to the mailing list, to stir some further discussion:
http:// mail-archives. apache. org/mod_ mbox/httpd- dev/201309. mbox/%<email address hidden>%3E
Additionally, I think we should consider to use 2048-bit DH parameters by default if the cert's RSA/DSA key is 2048 bits or more (so that sysadmin's don't have to generate their custom DH parameters to get more than 1024 bits for DHE). Changing this by default is probably debatable, and therefore another reason I'm taking it to the list.