starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

What can I do about Weak Diffie-Hellman and the Logjam Attack #181

New Issue
Closed
opened 2025-12-29 00:26:44 +01:00 by adam · 2 comments
adam commented 2025-12-29 00:26:44 +01:00
Owner
Copy Link

Originally created by @maxisme on GitHub (Jan 4, 2017).

What can I do about this?

I ran https://www.ssllabs.com/ssltest/analyze.html on a domain with the certificates generated by dehydrated.

And the NGINX config:

server {
        listen 443 ssl;

        server_name                 notifi.it;

        root /var/www/notifi.it/public_html;
        index index.php index.html index.htm;

        ssl on;
        ssl_certificate             /etc/nginx/certs/notifi.it/fullchain.pem;
        ssl_certificate_key         /etc/nginx/certs/notifi.it/privkey.pem;

        error_page 404 /404.html;

        location / {
                try_files $uri $uri/ @extensionless-php;
        }

        location @extensionless-php {
            rewrite ^(.*)$ $1.php last;
        }

        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;

        }
}

And I got a B because of the key exchange:

This server supports weak Diffie-Hellman (DH) key exchange parameters

Originally created by @maxisme on GitHub (Jan 4, 2017). What can I do about [this](https://weakdh.org/)? I ran https://www.ssllabs.com/ssltest/analyze.html on a domain with the certificates generated by `dehydrated`. And the NGINX config: ``` server { listen 443 ssl; server_name notifi.it; root /var/www/notifi.it/public_html; index index.php index.html index.htm; ssl on; ssl_certificate /etc/nginx/certs/notifi.it/fullchain.pem; ssl_certificate_key /etc/nginx/certs/notifi.it/privkey.pem; error_page 404 /404.html; location / { try_files $uri $uri/ @extensionless-php; } location @extensionless-php { rewrite ^(.*)$ $1.php last; } location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } ``` And I got a B because of the key exchange: > This server supports weak Diffie-Hellman (DH) key exchange parameters
adam closed this issue 2025-12-29 00:26:44 +01:00
adam commented 2025-12-29 00:26:45 +01:00
Author
Owner
Copy Link

@dorelo commented on GitHub (Jan 4, 2017):

Consider generating stronger DH parameters than Nginx's default 1024 bits.

openssl dhparam -out /etc/nginx/dhparam.pem 2048
then add the line
ssl_dhparam /etc/nginx/dhparam.pem; to your nginx config(s).

It is possible to up the size to 4096 bits, 2048 is a generally safe size.

You should also consider setting your preferred protocols and cipher suites:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

Useful resource: https://mozilla.github.io/server-side-tls/ssl-config-generator/

@dorelo commented on GitHub (Jan 4, 2017): Consider generating stronger DH parameters than Nginx's default 1024 bits. `openssl dhparam -out /etc/nginx/dhparam.pem 2048` then add the line `ssl_dhparam /etc/nginx/dhparam.pem;` to your nginx config(s). It is possible to up the size to 4096 bits, 2048 is a generally safe size. You should also consider setting your preferred protocols and cipher suites: ``` ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ``` Useful resource: https://mozilla.github.io/server-side-tls/ssl-config-generator/
adam commented 2025-12-29 00:26:45 +01:00
Author
Owner
Copy Link

@maxisme commented on GitHub (Jan 4, 2017):

A

@maxisme commented on GitHub (Jan 4, 2017): [A](http://pasteboard.co/1OvuYl1Pf.png)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#181
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?