Page 1 of 1
SSL weak Diffie-Hellman
Posted: Tue Aug 04, 2015 7:08 am
by hack13
I did a test using
https://www.ssllabs.com/ssltest/index.html and got back that the grade is being capped at a B because of "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B." I tried to make the changes it said for nginx that it suggests here:
https://weakdh.org/ but then nginx wouldn't start, so I rolled it back.
Maybe someone can spread some light on this issue.
Re: SSL weak Diffie-Hellman
Posted: Fri Aug 07, 2015 8:42 pm
by skurudo
Well, this is not a long story. A long time ago, before shit storm with logjam and other openssl bugs, ssllabs give A and A+ without DH. But after openssl bugs there's no way get high score... you need to generate dhparam first:
Code: Select all
dhparam -out /etc/pki/nginx/dhparam.pem 4096
You can use code for sninx (change some part for you)
Code: Select all
server {
listen YOUR-IP:443 ssl spdy;
server_name dsmirnov.pro;
resolver 127.0.0.1;
ssl_stapling on;
ssl on;
ssl_certificate /etc/pki/nginx/dsmirnov.pro.pem;
ssl_certificate_key /etc/pki/nginx/dsmirnov.pro.clean.key;
ssl_dhparam /etc/pki/nginx/dhparam.pem;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:2m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000;";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
}
Re: SSL weak Diffie-Hellman
Posted: Sat Dec 31, 2016 2:23 pm
by xjlin0
I am using Debian 8.6 jessie and here is what I follow to make it A+
https://becoder.org/vestacp-weakdh
(On Debian 8.6 jessie, openssl version is 1.0.1t as of now, I use
Debian stretch repository to apt-get install openssl to make it 1.1.0c)
WARNING: this takes time.
Code: Select all
sudo openssl dhparam -out /etc/nginx/dhparams.pem 4096
sudo vi /etc/nginx/nginx.conf
Inside of /etc/nginx/nginx.conf, after ssl_ciphers
Code: Select all
ssl_dhparam /etc/nginx/dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
Re: SSL weak Diffie-Hellman
Posted: Mon Jul 09, 2018 1:38 pm
by MuadDiib
better use this FASTER way
Code: Select all
openssl dhparam -dsaparam -out /etc/ssl/dhparam.pem 4096