The latest version of httpd with OpenSSL 3.0 or later is unable to load custom DH parameters specified in the CertificateFile configuration option. PEM_read_bio_Parameters() is unable to extract just the DH parameters and returns NULL when a CertificateFile contains signed certificates, intermediate certificates, and DH parameters all bundled together in one file. So if we set DH parameters in CertificateFile, httpd will always ignore them. Example: ~]# apachectl -v Server version: Apache/2.5.1-dev (Unix) Server built: May 23 2024 17:58:37 ~]# cat /etc/httpd/conf/extra/httpd-ssl.conf | grep -i '^sslcertificate' SSLCertificateFile "conf/server.crt" SSLCertificateKeyFile "conf/server.key" ~]# cat /etc/httpd/conf/server.crt -----BEGIN CERTIFICATE----- MIIDlTCCAn0CFF7/QT9b4DH6SkojxPuS1w8yusy5MA0GCSqGSIb3DQEBCwUAMIGG MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEjAQBgNVBAcMCVNoaW5hZ2F3 YTEMMAoGA1UECgwDYXdzMRAwDgYDVQQLDAdzdXBwb3J0MRIwEAYDVQQDDAlsb2Nh bGhvc3QxHzAdBgkqhkiG9w0BCQEWEG9oYUBhbWF6b24uY28uanAwHhcNMjQwNTIy MTkwMjMwWhcNMjUwNTIyMTkwMjMwWjCBhjELMAkGA1UEBhMCSlAxDjAMBgNVBAgM BVRva3lvMRIwEAYDVQQHDAlTaGluYWdhd2ExDDAKBgNVBAoMA2F3czEQMA4GA1UE CwwHc3VwcG9ydDESMBAGA1UEAwwJbG9jYWxob3N0MR8wHQYJKoZIhvcNAQkBFhBv aGFAYW1hem9uLmNvLmpwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA 2yMv9pQums8A16niNx8BUnSWw803HlBWVplSGPKsRtNlOFR7Qu8W6dvgPdbXranS boVqTxyd5QkJi6EPrmj0jUu2HZ/f0wNj3upByusiRbVR2WlkDcxS2chewnSHiVjc ClkscoL3aLcZ+jJSrxcNbt1dj6legoI3xpZePWSvvj8mcxjhyMa8Q8jNYCxxph9i 7y8oj5tIdgdA+bpMkCDlOLSNd9f0S1IvZSDDu+GfVx3DpjONpPFjTDkX50Y4Ydet VegDceHYNgdoJ48I7+krKsup5HNY+qMHayrrUdVBRnpkaQxuFZKSsd/9wZhqc3rd iUi+7613QyGEwSG2niFJjwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBTCDbw1LBg hsTfCrU1jYM9OBkh+ENMg9NeuG5kMDGiiP47I6xA9u+kUk0P5AUyADTb/O9BonQ/ rZTbfrd2mMa2NY4KrW62BXDqfNMZoeOSdiJRAVwKm59Yb3+tG/h1iNj92SCZKDRY RZB3+P6dxPXr2h9OXDUSmpUrAwspQoBKf833iPReJaKGMrGcpvgt6x97YJyGl+KO t5eklBP3VQS4oeAAjdXIlFeSlskYW04zpM3ZmkrIx51k8dWBeFtGDi20ldd82O0X hLfy+hRuffc9fXRX8mAHH2Jg0zJ6AtnhBv5Qzqe7Kd/lyavYjVpuAjVHBx4yvOSq JkBz5Fqtr3lr -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- MIGHAoGBAN2CP4uKyajqHYulLt6By0WcdGu7bpyEBvjJ/lVYJT0bAMJaTnZ8YVbZ fc7jkTBwp413mdlyuaAQmDe8ctmNuby3GUHtf0Y8chSLQy6HnZ6/6Uck524Qspsl YgBSXHwx/DI29L3A5Wq6QF22ar5eCwYbOh/NzYjVmL7Qt8xBzrjXAgEC -----END DH PARAMETERS----- ~]# cat /var/log/httpd/error_log [Thu May 23 18:37:00.940416 2024] [ssl:info] [pid 74533:tid 74533] AH01914: Configuring server www.example.com:443 for SSL protocol [Thu May 23 18:37:00.940860 2024] [ssl:debug] [pid 74533:tid 74533] ssl_engine_init.c(552): AH01893: Configuring TLS extension handling [Thu May 23 18:37:00.941737 2024] [ssl:debug] [pid 74533:tid 74533] ssl_util_ssl.c(462): AH02412: [www.example.com:443] Cert does not match for name 'www.example.com' [subject: emailAddress=oha@amazon.co.jp,CN=localhost,OU=support,O=aws,L=Shinagawa,ST=Tokyo,C=JP / issuer: emailAddress=oha@amazon.co.jp,CN=localhost,OU=support,O=aws,L=Shinagawa,ST=Tokyo,C=JP / serial: 5EFF413F5BE031FA4A4A23C4FB92D70F32BACCB9 / notbefore: May 22 19:02:30 2024 GMT / notafter: May 22 19:02:30 2025 GMT] [Thu May 23 18:37:00.941745 2024] [ssl:warn] [pid 74533:tid 74533] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Thu May 23 18:37:00.941748 2024] [ssl:info] [pid 74533:tid 74533] AH02568: Certificate and private key www.example.com:443:0 configured from /etc/httpd/conf/server.crt and /etc/httpd/conf/server.key [Thu May 23 18:37:00.959651 2024] [mpm_event:notice] [pid 74533:tid 74533] AH00489: Apache/2.5.1-dev (Unix) OpenSSL/3.0.8 configured -- resuming normal operations [Thu May 23 18:37:00.959673 2024] [core:notice] [pid 74533:tid 74533] AH00094: Command line: '/usr/sbin/httpd' After applying my fix (https://github.com/apache/httpd/pull/447), custom DH parameters now work properly. ~]# cat /var/log/httpd/error_log [Thu May 23 18:39:12.375762 2024] [ssl:info] [pid 74533:tid 74533] AH01914: Configuring server www.example.com:443 for SSL protocol [Thu May 23 18:39:12.376197 2024] [ssl:debug] [pid 74533:tid 74533] ssl_engine_init.c(552): AH01893: Configuring TLS extension handling [Thu May 23 18:39:12.377114 2024] [ssl:debug] [pid 74533:tid 74533] ssl_util_ssl.c(462): AH02412: [www.example.com:443] Cert does not match for name 'www.example.com' [subject: emailAddress=oha@amazon.co.jp,CN=localhost,OU=support,O=aws,L=Shinagawa,ST=Tokyo,C=JP / issuer: emailAddress=oha@amazon.co.jp,CN=localhost,OU=support,O=aws,L=Shinagawa,ST=Tokyo,C=JP / serial: 5EFF413F5BE031FA4A4A23C4FB92D70F32BACCB9 / notbefore: May 22 19:02:30 2024 GMT / notafter: May 22 19:02:30 2025 GMT] [Thu May 23 18:39:12.377125 2024] [ssl:warn] [pid 74533:tid 74533] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Thu May 23 18:39:12.377128 2024] [ssl:info] [pid 74533:tid 74533] AH02568: Certificate and private key www.example.com:443:0 configured from /etc/httpd/conf/server.crt and /etc/httpd/conf/server.key [Thu May 23 18:39:12.377278 2024] [ssl:debug] [pid 74533:tid 74533] ssl_engine_init.c(1611): AH02540: Custom DH parameters (1024 bits) for www.example.com:443 loaded from /etc/httpd/conf/server.crt [Thu May 23 18:39:12.395254 2024] [mpm_event:notice] [pid 74533:tid 74533] AH00489: Apache/2.5.1-dev (Unix) OpenSSL/3.0.8 configured -- resuming normal operations [Thu May 23 18:39:12.395276 2024] [core:notice] [pid 74533:tid 74533] AH00094: Command line: '/usr/sbin/httpd' => "[Thu May 23 18:39:12.377278 2024] [ssl:debug] [pid 74533:tid 74533] ssl_engine_init.c(1611): AH02540: Custom DH parameters (1024 bits) for www.example.com:443 loaded from /etc/httpd/conf/server.crt"