We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
SSL weak Diffie-Hellman
SSL weak Diffie-Hellman
I did a test using https://www.ssllabs.com/ssltest/index.html and got back that the grade is being capped at a B because of "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B." I tried to make the changes it said for nginx that it suggests here: https://weakdh.org/ but then nginx wouldn't start, so I rolled it back.
Maybe someone can spread some light on this issue.
Maybe someone can spread some light on this issue.
Re: SSL weak Diffie-Hellman
Well, this is not a long story. A long time ago, before shit storm with logjam and other openssl bugs, ssllabs give A and A+ without DH. But after openssl bugs there's no way get high score... you need to generate dhparam first:
You can use code for sninx (change some part for you)
Code: Select all
dhparam -out /etc/pki/nginx/dhparam.pem 4096
Code: Select all
server {
listen YOUR-IP:443 ssl spdy;
server_name dsmirnov.pro;
resolver 127.0.0.1;
ssl_stapling on;
ssl on;
ssl_certificate /etc/pki/nginx/dsmirnov.pro.pem;
ssl_certificate_key /etc/pki/nginx/dsmirnov.pro.clean.key;
ssl_dhparam /etc/pki/nginx/dhparam.pem;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:2m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000;";
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
}
Re: SSL weak Diffie-Hellman
I am using Debian 8.6 jessie and here is what I follow to make it A+ https://becoder.org/vestacp-weakdh
(On Debian 8.6 jessie, openssl version is 1.0.1t as of now, I use Debian stretch repository to apt-get install openssl to make it 1.1.0c)
WARNING: this takes time.
Inside of /etc/nginx/nginx.conf, after ssl_ciphers
(On Debian 8.6 jessie, openssl version is 1.0.1t as of now, I use Debian stretch repository to apt-get install openssl to make it 1.1.0c)
WARNING: this takes time.
Code: Select all
sudo openssl dhparam -out /etc/nginx/dhparams.pem 4096
sudo vi /etc/nginx/nginx.conf
Code: Select all
ssl_dhparam /etc/nginx/dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
Re: SSL weak Diffie-Hellman
better use this FASTER way
Code: Select all
openssl dhparam -dsaparam -out /etc/ssl/dhparam.pem 4096