Skip to main content
Version: 7.2402.x.x RR

Apache httpd 2.4

How to add support of http/2

Add the following into the navajo.xml, under the Connector attribute:

<H2
  H2Direct="on"
  Protocols="h2 h2c http/1.1"
  H2SerializeHeaders="on"
/>

Default DH parameters with Apache httpd/2.4

The DH parameters used by default are the ones defined in RFC 3526. The length of the chosen parameter corresponds to the key size of the used server certificate.

Using the predefined public parameters in RFC 3526 doesn't impact the security of the DH algorithm, as long as they have a sufficient size (more than 1024bits). Moreover, the predefined ones are optimized and have been evaluated to cover security requirements. Thus nevisProxy is in line with current best practices.

Of course, if someone wishes to use their own DH parameters, using the SSLOpenSSLConfCmd apache directive with the ApacheConfigFilter or appending them in the first certificate defined with SSLCertificateFile are the solutions for the moment.

Defining custom DH parameters for Apache httpd/2.4 in first certificate

With Apache httpd/2.4, custom DH parameters for ephemeral keys should be added to the first file configured using the SSLCertificateFile directive. Such parameters can be generated using the command openssl dhparam and appended to the certificate file. Only the first certificate file can be used for custom parameters, as they are applied independently of the authentication algorithm type.

Example of creating custom DH parameters of 2048 bits and appending them to first_certificate.pem:

 -openssl dhparam -out dHParam.pem 2048
 -cat dHParam.pem >> first_certificate.pem