Ralf J

Database of "common DH prime" seems incomplete

Discussion created by Ralf J on Jun 5, 2015
Latest reply on Jun 10, 2015 by Ralf J

During a check of a domain I am running (SSL Server Test: git.hacksaar.de (Powered by Qualys SSL Labs)), I noticed that SSLLabs reported "Uses common DH prime: No". However, I did not configure a custom prime for that domain - in fact, it is using the common 4096 bit prime hard-coded into Apache. So it seems that the database of common primes is lacking the larger primes introduced by Apache 2.4.7. Quoting from the documentation:


Beginning with version 2.4.7, mod_ssl makes use of standardized DH parameters with prime lengths of 2048, 3072 and 4096 bits and with additional prime lengths of 6144 and 8192 bits beginning with version 2.4.10 (from RFC 3526), and hands them out to clients based on the length of the certificate's RSA/DSA key.