Re: How to use DH 4096 parameters?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

Op 13 mrt. 2022 om 15:54 heeft Walter Hop <apache@xxxxxxxxxxxxxxxxx> het volgende geschreven:

Hi all,

I am trying to strengthen my HTTPS setup.

One security-checker which is popular in my country is internet.nl.

And rightly so!

One thing I have a problem with is their check “Key exchange parameters”.

On my old setup, this was DH 2048, which is considered “insufficient” according to internet.nl. I have tried the following things:

1) use a 4096 bit RSA key and get a new certificate
2) generate DH params with: openssl dhparam -out /etc/apache2/dhparam.pem 4096
3) in my configuration, added: SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem”

The result of these steps is, that my server now seems to use DH 3072 bit, which is better, but not yet 4096 bit. It’s still considered “insufficient” by the checker. You can see the check results here: https://internet.nl/site/lifeforms.nl/1527698/#control-panel-14

I’m confused where the DH 3072 comes from. My question is, what should I configure so that DH 4096 is sent?

Is your DH file actually 4096 bits? ;)

Does Apache have a setting similar to tune.ssl.default-dh-param in HAProxy, maybe?


I am running Apache 2.4.52 (from Ondrej Sury) with OpenSSL 1.1.1 from Ubuntu 18.04 LTS.

Any info would be super useful, thanks in advance!

Kind regards,
WH





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux