| Hi all, I am trying to strengthen my HTTPS setup. One security-checker which is popular in my country is internet.nl. One thing I have a problem with is their check “Key exchange parameters”. On my old setup, this was DH 2048, which is considered “insufficient” according to internet.nl. I have tried the following things: 1) use a 4096 bit RSA key and get a new certificate 2) generate DH params with: openssl dhparam -out /etc/apache2/dhparam.pem 4096 3) in my configuration, added: SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem” The result of these steps is, that my server now seems to use DH 3072 bit, which is better, but not yet 4096 bit. It’s still considered “insufficient” by the checker. You can see the check results here: https://internet.nl/site/lifeforms.nl/1527698/#control-panel-14 I’m confused where the DH 3072 comes from. My question is, what should I configure so that DH 4096 is sent? I am running Apache 2.4.52 (from Ondrej Sury) with OpenSSL 1.1.1 from Ubuntu 18.04 LTS. Any info would be super useful, thanks in advance! Kind regards, WH |
|