logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: 2.4.7 enables DH-Keys with more than 1024 Bits Page 1, 2  Next
Author
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Wed 27 Nov '13 11:30    Post subject: 2.4.7 enables DH-Keys with more than 1024 Bits Reply with quote

Thank you very much for 2.4.7 !

This Version enables DH-Keys with more than 1024 Bits and pushes the ssllabs rating for key exchange to 100%.

Fantastic!!!
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Wed 27 Nov '13 15:02    Post subject: Reply with quote

jraute wrote:

This Version enables DH-Keys with more than 1024 Bits


How do set that option? I wasn't lucky in the docs.
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Wed 27 Nov '13 23:30    Post subject: Reply with quote

No additional settings necessary.
Just choose a key length > 1024 bits et voila.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Wed 27 Nov '13 23:56    Post subject: Reply with quote

I wonder cause with all the 2.4.x version I had 100% on that test cause my key is 4096 bits (RSA) (I found the saved test from April 2012 with 100% key exchange).
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Thu 28 Nov '13 1:39    Post subject: Reply with quote

I had only 80% before and i think it was because of the 1024 diffie hellman key, which is now 4096 Bits large.

But one thing is still strange: There should be the option of using additional certificate files and this i wasn't able to define.

Anyway an improvement!
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Thu 28 Nov '13 12:31    Post subject: Reply with quote

You can define SSLCertificateFile and SSLCertificateKeyFile up to three times. Exception ware DH and ECDH there apache uses only the first one.
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Fri 29 Nov '13 11:16    Post subject: Reply with quote

The SSLCertificateFile / SSLCertificateKeyFile i tried to use, but i could not use it for an additional dh-parameter set. Maybe i misunderstood something.

Anyway the current results are good : http://picload.org/image/oprcggo/unbenannt.png
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Fri 29 Nov '13 12:23    Post subject: Reply with quote

Well in the SSL FAQ there is a small "how-to" add a second DH Certificate
http://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh

The additional DH parameter. I thought a bit about it and it is when you create the certificate via openssl(.exe) than you can add that parameter.

e.g.
Code:

openssl.exe dhparam


Maybe it is a bit too much english. I ask Gregg if he can clarify it.
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Fri 29 Nov '13 12:55    Post subject: Reply with quote

Moin moin!

I built a separate diffie hellman 4096 bit pem-file with openssl and tried to load it. I was not able to load it the way i thought.

After reading the faq, i don't see any mistakes in the httpd-file i used.
Well, it's no problem for sure, but it would be interesting how to go that way - calculating a dh parameter and using it instead of the built-in version.

Greets
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 03 Dec '13 23:54    Post subject: Reply with quote

Moin moin either!

can you please post commandline how to create the 4096 DH key? I had my issues Wink
And also an example config? I wanna play with it a bit.
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Wed 04 Dec '13 1:10    Post subject: Reply with quote

Ok, the command is:
openssl dhparam -out dh_4096.pem 4096

Then it generates a dh parameter with a bit size of 4096 in a file named dh_4096.pem.
(If you do that it takes some time)
The configuration (httpd) i will post later - right now typing on the phone it's a bit uncomfortable.

Greets
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Wed 04 Dec '13 10:26    Post subject: Reply with quote

Test-Configuration:

SSLEngine On

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

SSLCertificateFile conf/ssl/dh_4096.pem
SSLCertificateFile conf/ssl/cert.crt
SSLCertificateKeyFile conf/ssl/key.key
SSLOptions +StrictRequire +StdEnvVars -ExportCertData

(The configuration works fine without the first SSLCertificateFile definition.)
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Wed 04 Dec '13 16:21    Post subject: Reply with quote

jraute wrote:
Ok, the command is:
openssl dhparam -out dh_4096.pem 4096


Doing so I get an key with only 769 Bytes and in the error unable to write 'random state' (see http://pastebin.com/raw.php?i=zMFnk5Jb)
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Wed 04 Dec '13 20:36    Post subject: Reply with quote

James Blond wrote:

Doing so I get an key with only 769 Bytes and in the error unable to write 'random state' (see http://pastebin.com/raw.php?i=zMFnk5Jb)


I'm assuming this is on Win & not debian?
If so, try running the command prompt as admin. I always forget and have the same problem.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Wed 04 Dec '13 23:34    Post subject: Reply with quote

glsmith wrote:

I'm assuming this is on Win & not debian?


Yepp Windows. I haven tried debian yet.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Thu 05 Dec '13 0:12    Post subject: Reply with quote

On debian it works, even if it took much longer than compiling apache itself. ~ 45 Minutes ...

http://pastebin.com/raw.php?i=4jNeBb8r
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Thu 05 Dec '13 7:12    Post subject: Reply with quote

Great!
Btw 45 minutes is fast.
Remember my words "it takes some time". Wink
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Mon 09 Dec '13 17:08    Post subject: Reply with quote

For those who want to play with a 4096 bit DH KEY
http://pastebin.com/raw.php?i=3qb0AqF3
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Tue 10 Dec '13 12:01    Post subject: Reply with quote

Did you get it running?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 10 Dec '13 12:56    Post subject: Reply with quote

Nope,
apache does not start with it. I get

Code:

[Tue Dec 10 11:40:45.426587 2013] [ssl:emerg] [pid 3594:tid 140460423911168] AH01895: Unable to configure verify locations for client authentication
[Tue Dec 10 11:42:38.840313 2013] [ssl:emerg] [pid 10282:tid 140261583156992] AH01895: Unable to configure verify locations for client authentication


Since I wanted to use a valid Start SSL conf.

ssl.conf
Code:

SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS


vhost conf
Code:

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile /opt/apache2/conf/certs/ah.de.2013.crt
    SSLCertificateKeyFile /opt/apache2/conf/certs/ah.de.2013.key
    SSLCertificateChainFile /opt/apache2/conf/certs/sub.class1.server.ca.pem
#    SSLCACertificateFile /opt/apache2/conf/certs/ca.pem

    SSLCACertificateFile /opt/apache2/conf/certs/dh_4096.pem


    <Files ~"\.(cgi|shtml|phtml|php|htm|html?)$>
        SSLOptions +StdEnvVars
    </Files>

    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</VirtualHost>


bad is that the key must match the crt file. I will try more Wink
Back to top


Reply to topic   Topic: 2.4.7 enables DH-Keys with more than 1024 Bits View previous topic :: View next topic
Post new topic   Forum Index -> Apache Page 1, 2  Next