| Author |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
 Posted: Wed 27 Nov '13 11:30 Post subject: 2.4.7 enables DH-Keys with more than 1024 Bits |
 |
|
Thank you very much for 2.4.7 !
This Version enables DH-Keys with more than 1024 Bits and pushes the ssllabs rating for key exchange to 100%.
Fantastic!!! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Wed 27 Nov '13 15:02 Post subject: |
|
|
| jraute wrote: |
This Version enables DH-Keys with more than 1024 Bits
|
How do set that option? I wasn't lucky in the docs. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Wed 27 Nov '13 23:30 Post subject: |
|
|
No additional settings necessary.
Just choose a key length > 1024 bits et voila. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Wed 27 Nov '13 23:56 Post subject: |
|
|
| I wonder cause with all the 2.4.x version I had 100% on that test cause my key is 4096 bits (RSA) (I found the saved test from April 2012 with 100% key exchange). |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Thu 28 Nov '13 1:39 Post subject: |
|
|
I had only 80% before and i think it was because of the 1024 diffie hellman key, which is now 4096 Bits large.
But one thing is still strange: There should be the option of using additional certificate files and this i wasn't able to define.
Anyway an improvement! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Thu 28 Nov '13 12:31 Post subject: |
|
|
| You can define SSLCertificateFile and SSLCertificateKeyFile up to three times. Exception ware DH and ECDH there apache uses only the first one. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Fri 29 Nov '13 11:16 Post subject: |
|
|
The SSLCertificateFile / SSLCertificateKeyFile i tried to use, but i could not use it for an additional dh-parameter set. Maybe i misunderstood something.
Anyway the current results are good : http://picload.org/image/oprcggo/unbenannt.png |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Fri 29 Nov '13 12:23 Post subject: |
|
|
Well in the SSL FAQ there is a small "how-to" add a second DH Certificate
http://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh
The additional DH parameter. I thought a bit about it and it is when you create the certificate via openssl(.exe) than you can add that parameter.
e.g.
| Code: |
openssl.exe dhparam
|
Maybe it is a bit too much english. I ask Gregg if he can clarify it. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Fri 29 Nov '13 12:55 Post subject: |
|
|
Moin moin!
I built a separate diffie hellman 4096 bit pem-file with openssl and tried to load it. I was not able to load it the way i thought.
After reading the faq, i don't see any mistakes in the httpd-file i used.
Well, it's no problem for sure, but it would be interesting how to go that way - calculating a dh parameter and using it instead of the built-in version.
Greets |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Tue 03 Dec '13 23:54 Post subject: |
|
|
Moin moin either!
can you please post commandline how to create the 4096 DH key? I had my issues 
And also an example config? I wanna play with it a bit. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Wed 04 Dec '13 1:10 Post subject: |
|
|
Ok, the command is:
openssl dhparam -out dh_4096.pem 4096
Then it generates a dh parameter with a bit size of 4096 in a file named dh_4096.pem.
(If you do that it takes some time)
The configuration (httpd) i will post later - right now typing on the phone it's a bit uncomfortable.
Greets |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Wed 04 Dec '13 10:26 Post subject: |
|
|
Test-Configuration:
SSLEngine On
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
SSLCertificateFile conf/ssl/dh_4096.pem
SSLCertificateFile conf/ssl/cert.crt
SSLCertificateKeyFile conf/ssl/key.key
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
(The configuration works fine without the first SSLCertificateFile definition.) |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Wed 04 Dec '13 16:21 Post subject: |
|
|
| jraute wrote: | Ok, the command is:
openssl dhparam -out dh_4096.pem 4096
|
Doing so I get an key with only 769 Bytes and in the error unable to write 'random state' (see http://pastebin.com/raw.php?i=zMFnk5Jb) |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 04 Dec '13 20:36 Post subject: |
|
|
I'm assuming this is on Win & not debian?
If so, try running the command prompt as admin. I always forget and have the same problem. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Wed 04 Dec '13 23:34 Post subject: |
|
|
| glsmith wrote: |
I'm assuming this is on Win & not debian?
|
Yepp Windows. I haven tried debian yet. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Thu 05 Dec '13 7:12 Post subject: |
|
|
Great!
Btw 45 minutes is fast.
Remember my words "it takes some time". |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Tue 10 Dec '13 12:01 Post subject: |
|
|
| Did you get it running? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Tue 10 Dec '13 12:56 Post subject: |
|
|
Nope,
apache does not start with it. I get
| Code: |
[Tue Dec 10 11:40:45.426587 2013] [ssl:emerg] [pid 3594:tid 140460423911168] AH01895: Unable to configure verify locations for client authentication
[Tue Dec 10 11:42:38.840313 2013] [ssl:emerg] [pid 10282:tid 140261583156992] AH01895: Unable to configure verify locations for client authentication
|
Since I wanted to use a valid Start SSL conf.
ssl.conf
| Code: |
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
|
vhost conf
| Code: |
<VirtualHost *:443>
...
SSLEngine on
SSLCertificateFile /opt/apache2/conf/certs/ah.de.2013.crt
SSLCertificateKeyFile /opt/apache2/conf/certs/ah.de.2013.key
SSLCertificateChainFile /opt/apache2/conf/certs/sub.class1.server.ca.pem
# SSLCACertificateFile /opt/apache2/conf/certs/ca.pem
SSLCACertificateFile /opt/apache2/conf/certs/dh_4096.pem
<Files ~"\.(cgi|shtml|phtml|php|htm|html?)$>
SSLOptions +StdEnvVars
</Files>
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</VirtualHost>
|
bad is that the key must match the crt file. I will try more |
|
| Back to top |
|
