Disable Diffie-Hellman (DH) key in Ubuntu 16 and Nginx
Question
For website hosted in Ubuntu 16 with Nginx, SSL tests always shows B grade. Below is the reason shown. See also the attached image. Current SSL cipher settings are below. I have noticed the same thing in around 8 to 10 servers I have with ubuntu 16 and Nginx.
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'AES256+EECDH:AES256+EDH::!EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
ssl_session_cache shared:SSL:10m;
Diffie-Hellman (DH) key exchange parameters. Grade capped to B
2 answers
solution1
5 2018-01-26 17:49:30
Finally I found the solution. By default Linux uses inbuilt DH provided by openssl. This uses weak key. The solution is to generate our own. Use the below to generate new one. I used 2048, you can also try 4096.
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
Then add it to nginx main conf and reload. Here we go. We now have A grade.
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
Reference urls:-
https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score
https://geekflare.com/nginx-webserver-security-hardening-guide/
solution2
-2 2018-01-25 05:50:22
Mozilla SSL配置生成器是正确配置TLS设置的最佳方式。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.