The latest version of httpd with OpenSSL 3.0 or later is unable to load custom DH parameters specified in the CertificateFile configuration option. PEM_read_bio_Parameters() is unable to extract just the DH parameters and returns NULL when a CertificateFile contains signed certificates, intermediate certificates, and DH parameters all bundled together in one file.

So if we set DH parameters in CertificateFile, httpd will always ignore them.

Example:

~]# apachectl -v
Server version: Apache/2.5.1-dev (Unix)
Server built:   May 23 2024 17:58:37
~]# cat /etc/httpd/conf/extra/httpd-ssl.conf | grep -i '^sslcertificate'
SSLCertificateFile "conf/server.crt"
SSLCertificateKeyFile "conf/server.key"
~]# cat /etc/httpd/conf/server.crt 
-----BEGIN CERTIFICATE-----
MIIDlTCCAn0CFF7/QT9b4DH6SkojxPuS1w8yusy5MA0GCSqGSIb3DQEBCwUAMIGG
MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEjAQBgNVBAcMCVNoaW5hZ2F3
YTEMMAoGA1UECgwDYXdzMRAwDgYDVQQLDAdzdXBwb3J0MRIwEAYDVQQDDAlsb2Nh
bGhvc3QxHzAdBgkqhkiG9w0BCQEWEG9oYUBhbWF6b24uY28uanAwHhcNMjQwNTIy
MTkwMjMwWhcNMjUwNTIyMTkwMjMwWjCBhjELMAkGA1UEBhMCSlAxDjAMBgNVBAgM
BVRva3lvMRIwEAYDVQQHDAlTaGluYWdhd2ExDDAKBgNVBAoMA2F3czEQMA4GA1UE
CwwHc3VwcG9ydDESMBAGA1UEAwwJbG9jYWxob3N0MR8wHQYJKoZIhvcNAQkBFhBv
aGFAYW1hem9uLmNvLmpwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
2yMv9pQums8A16niNx8BUnSWw803HlBWVplSGPKsRtNlOFR7Qu8W6dvgPdbXranS
boVqTxyd5QkJi6EPrmj0jUu2HZ/f0wNj3upByusiRbVR2WlkDcxS2chewnSHiVjc
ClkscoL3aLcZ+jJSrxcNbt1dj6legoI3xpZePWSvvj8mcxjhyMa8Q8jNYCxxph9i
7y8oj5tIdgdA+bpMkCDlOLSNd9f0S1IvZSDDu+GfVx3DpjONpPFjTDkX50Y4Ydet
VegDceHYNgdoJ48I7+krKsup5HNY+qMHayrrUdVBRnpkaQxuFZKSsd/9wZhqc3rd
iUi+7613QyGEwSG2niFJjwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBTCDbw1LBg
hsTfCrU1jYM9OBkh+ENMg9NeuG5kMDGiiP47I6xA9u+kUk0P5AUyADTb/O9BonQ/
rZTbfrd2mMa2NY4KrW62BXDqfNMZoeOSdiJRAVwKm59Yb3+tG/h1iNj92SCZKDRY
RZB3+P6dxPXr2h9OXDUSmpUrAwspQoBKf833iPReJaKGMrGcpvgt6x97YJyGl+KO
t5eklBP3VQS4oeAAjdXIlFeSlskYW04zpM3ZmkrIx51k8dWBeFtGDi20ldd82O0X
hLfy+hRuffc9fXRX8mAHH2Jg0zJ6AtnhBv5Qzqe7Kd/lyavYjVpuAjVHBx4yvOSq
JkBz5Fqtr3lr
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
MIGHAoGBAN2CP4uKyajqHYulLt6By0WcdGu7bpyEBvjJ/lVYJT0bAMJaTnZ8YVbZ
fc7jkTBwp413mdlyuaAQmDe8ctmNuby3GUHtf0Y8chSLQy6HnZ6/6Uck524Qspsl
YgBSXHwx/DI29L3A5Wq6QF22ar5eCwYbOh/NzYjVmL7Qt8xBzrjXAgEC
-----END DH PARAMETERS-----
~]# cat /var/log/httpd/error_log 
[Thu May 23 18:37:00.940416 2024] [ssl:info] [pid 74533:tid 74533] AH01914: Configuring server www.example.com:443 for SSL protocol
[Thu May 23 18:37:00.940860 2024] [ssl:debug] [pid 74533:tid 74533] ssl_engine_init.c(552): AH01893: Configuring TLS extension handling
[Thu May 23 18:37:00.941737 2024] [ssl:debug] [pid 74533:tid 74533] ssl_util_ssl.c(462): AH02412: [www.example.com:443] Cert does not match for name 'www.example.com' [subject: emailAddress=oha@amazon.co.jp,CN=localhost,OU=support,O=aws,L=Shinagawa,ST=Tokyo,C=JP / issuer: emailAddress=oha@amazon.co.jp,CN=localhost,OU=support,O=aws,L=Shinagawa,ST=Tokyo,C=JP / serial: 5EFF413F5BE031FA4A4A23C4FB92D70F32BACCB9 / notbefore: May 22 19:02:30 2024 GMT / notafter: May 22 19:02:30 2025 GMT]
[Thu May 23 18:37:00.941745 2024] [ssl:warn] [pid 74533:tid 74533] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Thu May 23 18:37:00.941748 2024] [ssl:info] [pid 74533:tid 74533] AH02568: Certificate and private key www.example.com:443:0 configured from /etc/httpd/conf/server.crt and /etc/httpd/conf/server.key
[Thu May 23 18:37:00.959651 2024] [mpm_event:notice] [pid 74533:tid 74533] AH00489: Apache/2.5.1-dev (Unix) OpenSSL/3.0.8 configured -- resuming normal operations
[Thu May 23 18:37:00.959673 2024] [core:notice] [pid 74533:tid 74533] AH00094: Command line: '/usr/sbin/httpd'


After applying my fix (https://github.com/apache/httpd/pull/447), custom DH parameters now work properly.


~]# cat /var/log/httpd/error_log 
[Thu May 23 18:39:12.375762 2024] [ssl:info] [pid 74533:tid 74533] AH01914: Configuring server www.example.com:443 for SSL protocol
[Thu May 23 18:39:12.376197 2024] [ssl:debug] [pid 74533:tid 74533] ssl_engine_init.c(552): AH01893: Configuring TLS extension handling
[Thu May 23 18:39:12.377114 2024] [ssl:debug] [pid 74533:tid 74533] ssl_util_ssl.c(462): AH02412: [www.example.com:443] Cert does not match for name 'www.example.com' [subject: emailAddress=oha@amazon.co.jp,CN=localhost,OU=support,O=aws,L=Shinagawa,ST=Tokyo,C=JP / issuer: emailAddress=oha@amazon.co.jp,CN=localhost,OU=support,O=aws,L=Shinagawa,ST=Tokyo,C=JP / serial: 5EFF413F5BE031FA4A4A23C4FB92D70F32BACCB9 / notbefore: May 22 19:02:30 2024 GMT / notafter: May 22 19:02:30 2025 GMT]
[Thu May 23 18:39:12.377125 2024] [ssl:warn] [pid 74533:tid 74533] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Thu May 23 18:39:12.377128 2024] [ssl:info] [pid 74533:tid 74533] AH02568: Certificate and private key www.example.com:443:0 configured from /etc/httpd/conf/server.crt and /etc/httpd/conf/server.key
[Thu May 23 18:39:12.377278 2024] [ssl:debug] [pid 74533:tid 74533] ssl_engine_init.c(1611): AH02540: Custom DH parameters (1024 bits) for www.example.com:443 loaded from /etc/httpd/conf/server.crt
[Thu May 23 18:39:12.395254 2024] [mpm_event:notice] [pid 74533:tid 74533] AH00489: Apache/2.5.1-dev (Unix) OpenSSL/3.0.8 configured -- resuming normal operations
[Thu May 23 18:39:12.395276 2024] [core:notice] [pid 74533:tid 74533] AH00094: Command line: '/usr/sbin/httpd'

=> "[Thu May 23 18:39:12.377278 2024] [ssl:debug] [pid 74533:tid 74533] ssl_engine_init.c(1611): AH02540: Custom DH parameters (1024 bits) for www.example.com:443 loaded from /etc/httpd/conf/server.crt"