How to specify Custom DH parameters

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux 5x 6x 7x
  • httpd
  • mod_ssl
  • openssl

Issue

  • How to specify Custom DH parameters

Resolution

We can specify Custom DH parameters with the following steps.

# openssl dhparam -out dhparams_2048.pem 2048
# cat dhparams_2048.pem  >> /path/to/your/certfile.crt
# service httpd restart

You can see the following message if you set the log level to debug in /etc/httpd/conf.d/ssl.conf.

[Mon Jun 01 14:50:59 2015] [debug] ssl_engine_init.c(987): Custom DH parameters (2048 bits) for 127.0.0.1:443 loaded from /path/to/your/certfile.crt

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

2 Comments

Why is "SSLOpenSSLConfCmd DHParameters" not supported ? Having to change the certificates that have been deliverd from the CA is inconvinient at best!

Looks to me like the message in the ssl_error.log is only given for the first certificate that is read.
The DH Parameters attached to the other certificates seems to work anyway (checked with openssl s_client -msg)