Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section Web Server
  • Search

SSL weak Diffie-Hellman

Questions regarding the Web Server
Apache + Nginx, Nginx + PHP5-FPM
Post Reply
  • Print view
Advanced search
4 posts • Page 1 of 1
hack13
Posts: 1
Joined: Tue Aug 04, 2015 7:03 am

SSL weak Diffie-Hellman
  • Quote

Post by hack13 » Tue Aug 04, 2015 7:08 am

I did a test using https://www.ssllabs.com/ssltest/index.html and got back that the grade is being capped at a B because of "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B." I tried to make the changes it said for nginx that it suggests here: https://weakdh.org/ but then nginx wouldn't start, so I rolled it back.

Maybe someone can spread some light on this issue.
Top
skurudo
VestaCP Team
Posts: 8099
Joined: Fri Dec 26, 2014 2:23 pm
Contact:
Contact skurudo
Website Facebook Google+ Skype
Twitter

Re: SSL weak Diffie-Hellman
  • Quote

Post by skurudo » Fri Aug 07, 2015 8:42 pm

Well, this is not a long story. A long time ago, before shit storm with logjam and other openssl bugs, ssllabs give A and A+ without DH. But after openssl bugs there's no way get high score... you need to generate dhparam first:

Code: Select all

dhparam -out /etc/pki/nginx/dhparam.pem 4096
You can use code for sninx (change some part for you)

Code: Select all

server {
    listen YOUR-IP:443 ssl spdy;
    server_name dsmirnov.pro;
    resolver 127.0.0.1;
    ssl_stapling on;
    ssl on;
    ssl_certificate /etc/pki/nginx/dsmirnov.pro.pem;
    ssl_certificate_key /etc/pki/nginx/dsmirnov.pro.clean.key;
    ssl_dhparam /etc/pki/nginx/dhparam.pem;
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:2m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=31536000;";
    add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
}
Top
xjlin0
Posts: 22
Joined: Fri Dec 30, 2016 2:22 pm

Re: SSL weak Diffie-Hellman
  • Quote

Post by xjlin0 » Sat Dec 31, 2016 2:23 pm

I am using Debian 8.6 jessie and here is what I follow to make it A+ https://becoder.org/vestacp-weakdh
(On Debian 8.6 jessie, openssl version is 1.0.1t as of now, I use Debian stretch repository to apt-get install openssl to make it 1.1.0c)

WARNING: this takes time.

Code: Select all

sudo openssl dhparam -out /etc/nginx/dhparams.pem 4096
sudo vi /etc/nginx/nginx.conf
Inside of /etc/nginx/nginx.conf, after ssl_ciphers

Code: Select all

      ssl_dhparam         /etc/nginx/dhparams.pem;
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
Top
MuadDiib
Posts: 2
Joined: Mon Jul 09, 2018 1:37 pm

Os: CentOS 6x
Web: apache + nginx
Re: SSL weak Diffie-Hellman
  • Quote

Post by MuadDiib » Mon Jul 09, 2018 1:38 pm

better use this FASTER way

Code: Select all

openssl dhparam -dsaparam -out /etc/ssl/dhparam.pem 4096
Top
Post Reply
  • Print view
4 posts • Page 1 of 1

Return to “Web Server”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

Login  •  Register

I forgot my password