apache: Allow use of SSLOpenSSLConfCmd DHParameters if supported

[tim-seoss]

Versions of Apache > 2.4.8 support: SSLOpenSSLConfCmd DHParameters "/path/to/dhparams"

I think a useful enhancement would be to emit this (if supported) rather than the current:

# curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
#SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
#SSLCertificateKeyFile   /path/to/private_key

Since that's a bit awkward for people to automate if they use automatic SSL cert updating (e.g. via letsencrypt).

[gstrauss]

Applications using openssl should prefer SSL_CTX_set_dh_auto() and related functions, available since OpenSSL 1.1.0, instead of providing DHParameters. https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_dh_auto.html

If "auto" DH parameters are switched on then the parameters will be selected to be consistent with the size of the key associated with the server's certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key.

Applications may supply their own DH parameters instead of using the built-in values. This approach is discouraged and applications should in preference use the built-in parameter support described above.

@tim-seoss you might want to open an issue for Apache2 to request that they use SSL_CTX_set_dh_auto() or SSL_set_dh_auto()

I think that is better than end-users attempting to provide DHParameters (unless end-users know what they are doing and really want to do so).

[fdelapena]

Moreover, SSLOpenSSLConfCmd DHParameters "/path/to/dhparams" is broken when using recent OpenSSL versions (e.g. 3.x) so it just won't work when just using it. Apache Users Mailing List thread and Qualys Community thread.

By the way, internet.nl considers ffdhe2048 phased out on their test and recommends at least ffdhe3072.