Hi William,
>> I’m confused where the DH 3072 comes from. My question is, what should I
>> configure so that DH 4096 is sent?
>
> Is your DH file actually 4096 bits? ;)
It appears to be so when i look at the dhparams.pem file:
openssl dhparam -inform PEM -in /etc/apache2/dhparam.pem -check -text
DH Parameters: (4096 bit)
prime:
00:ff:ff:ff:ff:ff:ff:ff:ff:ad:f8:54:58:a2:bb:
[...]
generator: 2 (0x2)
WARNING: the g value is not a generator
> Does Apache have a setting similar to tune.ssl.default-dh-param in HAProxy,
> maybe?
I found on https://httpd.apache.org/docs/current/mod/mod_ssl.html:
<https://httpd.apache.org/docs/current/mod/mod_ssl.html:> Beginning with
version 2.4.7, mod_ssl makes use of standardized DH parameters with prime
lengths of 2048, 3072 and 4096 bits and with additional prime lengths of 6144
and 8192 bits beginning with version 2.4.10 (from RFC 3526), and hands them out
to clients based on the length of the certificate's RSA/DSA key.
That’s why I thought, if I use a 4096 bit key, it all would end well, but I
guess I was wrong…
Cheers,
WH
