apache: Allow use of SSLOpenSSLConfCmd DHParameters if supported

[tim-seoss]

Versions of Apache > 2.4.8 support:
SSLOpenSSLConfCmd DHParameters "/path/to/dhparams"

I think a useful enhancement would be to emit this (if supported) rather than the current:

# curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
#SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
#SSLCertificateKeyFile   /path/to/private_key

Since that's a bit awkward for people to automate if they use automatic SSL cert updating (e.g. via letsencrypt).

[gstrauss]

Applications using openssl should prefer SSL_CTX_set_dh_auto() and related functions, available since OpenSSL 1.1.0, instead of providing DHParameters.
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_dh_auto.html

If "auto" DH parameters are switched on then the parameters will be selected to be consistent with the size of the key associated with the server's certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key.

Applications may supply their own DH parameters instead of using the built-in values. This approach is discouraged and applications should in preference use the built-in parameter support described above.

@tim-seoss you might want to open an issue for Apache2 to request that they use SSL_CTX_set_dh_auto() or SSL_set_dh_auto()

I think that is better than end-users attempting to provide DHParameters (unless end-users know what they are doing and really want to do so).

[fdelapena]

Moreover, SSLOpenSSLConfCmd DHParameters "/path/to/dhparams" is broken when using recent OpenSSL versions (e.g. 3.x) so it just won't work when just using it. Apache Users Mailing List thread and Qualys Community thread.

By the way, internet.nl considers ffdhe2048 phased out on their test and recommends at least ffdhe3072.

[gstrauss]

I included the change to use SSLOpenSSLConfCmd DHParameters "/path/to/dhparams" in #256, but it is omitted for OpenSSL 3.x where Apache 2.4.52 and later use SSL_CTX_set_dh_auto() and SSL_set_dh_auto() to follow RFC7919.

Regarding ffdhe3072, that will be reviewed the next time Mozilla updates the ssl-config-generator guidelines.

[janbrasna]

I'm considering this be wontfix, and only supporting Apache 2.4.52+ OpenSSL 1.1.0+ API for "auto" RFC7919.

---

I'm not sure I'm confident to add SSLOpenSSLConfCmd DHParameters due to issues mentioned #125 (comment) […] before we know more, I wanted to go the opposite way […] skip DHParameters entirely, and only make use of the auto params added in the recent versions with #256)

— Originally posted by @janbrasna in #257 (comment)

Yann Ylavic is an Apache developer and wrote in
https://lists.apache.org/thread/vpqvq8mk9smn0wv749c1ngj09lqbt2wx

Step 3) does not work anymore with latest openssl versions, the only
way to configure custom dhparams in httpd is to append them to the
certificate file

so I'll adjust #256 to not use SSLOpenSSLConfCmd DHParameters with OpenSSL 3.x

— Originally posted by @gstrauss in #257 (comment)

I would prefer to not add the SSLOpenSSLConfCmd DHParameters for <2.4.52 […] (Maybe limiting that only to OpenSSL 1.1.0–1.1.1 for those older httpd? Is that extra logic worth maintaining for posterity?)

Please everyone think about how badly we want to support separate DHParameters in Apache 2.4.8–2.4.52 (a ~3 year old release) […] I'd vouch for skipping from appending the params after the certs directly to the auto/RFC feature, leaving out SSLOpenSSLConfCmd DHParameters when there are reported issues.

— Originally posted by @janbrasna in #257 (comment)

[gstrauss]

I'm considering this be wontfix, and only supporting Apache 2.4.52+ OpenSSL 1.1.0+ API for "auto" RFC7919.

Even if OpenSSL 1.1.0+ API supports "auto", the apps might not.
In #256, I looked at the code in the servers as well as their documentation. I did not test if "auto" would be passed through, but I did set the version check based on whether the server code would call SSL_CTX_set_dh_auto()/SSL_set_dh_auto() or not.

[janbrasna]

@gstrauss Can you add a changelog link or some docs mentioning the auto size selection from 2.4.52 if you don't mind? I might be lost in a) when Apache started to support it, b) if that's for 1.1.0 branch too or 3.x exclusively… Thanks.

Only found the reference bug for https://bz.apache.org/bugzilla/show_bug.cgi?id=65764#c5

Joe Orton 2022-01-04 08:27:54 UTC
"Customer DH parameters will be ignored since 2.4.52 if using "SSLOpenSSLConfCmd DHParameters", but will be respected if placing the params in the file referenced by SSLCertificateFile as Yann says.
I think we should document the SSLOpenSSLConfCmd interface as less-supportable/stable since it can have unpredictable effects, you are effectively bypassing mod_ssl and configuring OpenSSL directly."

[gstrauss]

Due to the (not new) D(HE)ater attack (https://dheatattack.gitlab.io/dheater/), we have chosen (at least for the moment) to continue having the ssl-config-generator recommend appending the 2048-bit FFDHE2048 key to the cert, rather than use DH auto support where available. Since SSLOpenSSLConfCmd DHParameters does not work with OpenSSL 3.x, the change requested in this issue to use SSLOpenSSLConfCmd DHParameters would only be for < OpenSSL 3.x, and all those versions before 3.x are EOL. The is little benefit to changing the output for older versions to use SSLOpenSSLConfCmd DHParameters, and then changing back to append the dhparams to the certificate file for use with OpenSSL 3.x, so let's leave it as-is.