Comment 32 for bug 1197884

(In reply to Kaspar Brand from comment #8)
> Created attachment 30804 [details]
> PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and
> 2.4.x)
>
> I'm fine with the idea, but the implementation in the patches submitted so
> far is too complex, in my opinion (in particular the SSL_read_DHparams
> stuff, which tries to support/read three different formats).

This function is similar to SSL_read_X509 and SSL_read_PrivateKey defined in the same file, and used by the module to read the corresponding objects.

That said, I'm not fluent in Apache internals, and I admit some things may have been done more easily. I tried to mimic how already existing elements (keys and certs) were declared, registered and used, when adding a new element type (DHParams).

> - use the existing SSLCertificateFile directive to support per-vhost, custom
> DHE and ECDHE parameters

The original patch is also vhost-aware.
It doesn't know about ECDHE, that's true. That wasn't critical at that time (2010) because nobody used ECDHE, and even today the used curve is the standard NIST P256, offering 128bits of security in theory. Since a few weeks, some people want to be able to specify the curve used, there's nothing wrong with that.