From: Luca Toscano <elukey@apache.org>
Date: Tue, 8 Mar 2016 13:18:41 +0000 (+0000)
Subject: Backporting documentation commits from trunk (new mod_ssl note about ECC): r1734058... 
X-Git-Tag: 2.4.19~93
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1117df2d9b76b5e6ffa40af66d262858c505beb6;p=apache

Backporting documentation commits from trunk (new mod_ssl note about ECC): r1734058,r1734060,r1734067,r1734069

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1734076 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index e57b16f649..faa43ce138 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -859,7 +859,8 @@ to support multiple algorithms for server authentication - typically
 RSA, DSA, and ECC. The number of supported algorithms depends on the
 OpenSSL version being used for mod_ssl: with version 1.0.0 or later,
 <code>openssl list-public-key-algorithms</code> will output a list
-of supported algorithms.
+of supported algorithms, see also the note below about limitations
+of OpenSSL versions prior to 1.0.2 and the ways to work around them.
 </p>
 
 <p>
@@ -909,6 +910,33 @@ such issues.
 </p>
 </note>
 
+<note>
+<title>Default DH parameters when using multiple certificates and OpenSSL
+versions prior to 1.0.2</title>
+<p>
+When using multiple certificates to support different authentication algorithms
+(like RSA, DSA, but mainly ECC) and OpenSSL prior to 1.0.2, it is recommended
+to either use custom DH parameters (preferably) by adding them to the
+first certificate file (as described above), or to order the
+<directive>SSLCertificateFile</directive> directives such that RSA/DSA
+certificates are placed <strong>after</strong> the ECC one.
+</p>
+<p>
+This is due to a limitation in older versions of OpenSSL which don't let the
+Apache HTTP Server determine the currently selected certificate at handshake
+time (when the DH parameters must be sent to the peer) but instead always
+provide the last configured certificate. Consequently, the server may select
+default DH parameters based on the length of the wrong certificate's key (ECC
+keys are much smaller than RSA/DSA ones and their length is not relevant for
+selecting DH primes).
+</p>
+<p>
+Since custom DH parameters always take precedence over the default ones, this
+issue can be avoided by creating and configuring them (as described above),
+thus using a custom/suitable length.
+</p>
+</note>
+
 <example><title>Example</title>
 <highlight language="config">
 SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt"