nginx and ephemeral Diffie-Hellman keys
Jauder Ho
lists at ruby-forum.com
Sat Jun 14 12:59:10 MSD 2008
Having the option would still beneficial since the capability is already
there.
Igor Sysoev wrote:
> On Sat, Jun 14, 2008 at 08:09:13AM +0400, Igor Sysoev wrote:
>
>> >
>> > Key should be changed out every so often.
>> >
>> > - o Diffie-Hellman-Parameters for temporary keys are hardcoded in
>> > - ssl_engine_dh.c, while the comment in ssl_engine_kernel.c says:
>> > - "it is suggested that keys be changed daily or every 500
>> > - transactions, and more often if possible."
>>
>> Nevertheless Apache still uses hardcoded DH parameters and does not allow
>> to override them.
>
> Looking in Apache repo: modern DH params in Apache/2 are 3 years old,
> Apache's 1.3 DH params are 9 years old.
>
> It's seems thare is no need to override them using ssl_dhparam.
--
Posted via http://www.ruby-forum.com/.
More information about the nginx
mailing list