Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

SSL weak Diffie-Hellman

https://forum.vestacp.com/viewtopic.php?f=11&t=8962

Page 1 of 1

SSL weak Diffie-Hellman

Posted: Tue Aug 04, 2015 7:08 am
by hack13
I did a test using https://www.ssllabs.com/ssltest/index.html and got back that the grade is being capped at a B because of "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B." I tried to make the changes it said for nginx that it suggests here: https://weakdh.org/ but then nginx wouldn't start, so I rolled it back.

Maybe someone can spread some light on this issue.

Re: SSL weak Diffie-Hellman

Posted: Fri Aug 07, 2015 8:42 pm
by skurudo
Well, this is not a long story. A long time ago, before shit storm with logjam and other openssl bugs, ssllabs give A and A+ without DH. But after openssl bugs there's no way get high score... you need to generate dhparam first:

Code: Select all

dhparam -out /etc/pki/nginx/dhparam.pem 4096
You can use code for sninx (change some part for you)

Code: Select all

server {
    listen YOUR-IP:443 ssl spdy;
    server_name dsmirnov.pro;
    resolver 127.0.0.1;
    ssl_stapling on;
    ssl on;
    ssl_certificate /etc/pki/nginx/dsmirnov.pro.pem;
    ssl_certificate_key /etc/pki/nginx/dsmirnov.pro.clean.key;
    ssl_dhparam /etc/pki/nginx/dhparam.pem;
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:2m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=31536000;";
    add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
}

Re: SSL weak Diffie-Hellman

Posted: Sat Dec 31, 2016 2:23 pm
by xjlin0
I am using Debian 8.6 jessie and here is what I follow to make it A+ https://becoder.org/vestacp-weakdh
(On Debian 8.6 jessie, openssl version is 1.0.1t as of now, I use Debian stretch repository to apt-get install openssl to make it 1.1.0c)

WARNING: this takes time.

Code: Select all

sudo openssl dhparam -out /etc/nginx/dhparams.pem 4096
sudo vi /etc/nginx/nginx.conf
Inside of /etc/nginx/nginx.conf, after ssl_ciphers

Code: Select all

      ssl_dhparam         /etc/nginx/dhparams.pem;
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

Re: SSL weak Diffie-Hellman

Posted: Mon Jul 09, 2018 1:38 pm
by MuadDiib
better use this FASTER way

Code: Select all

openssl dhparam -dsaparam -out /etc/ssl/dhparam.pem 4096
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/