Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Disable Diffie-Hellman (DH) key in Ubuntu 16 and Nginx

For website hosted in Ubuntu 16 with Nginx, SSL tests always shows B grade. Below is the reason shown. See also the attached image. Current SSL cipher settings are below. I have noticed the same thing in around 8 to 10 servers I have with ubuntu 16 and Nginx.

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'AES256+EECDH:AES256+EDH::!EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
ssl_session_cache shared:SSL:10m;

Diffie-Hellman (DH) key exchange parameters. Grade capped to B

Qualys SSL Labs - SSL Server Test

like image 947
nisamudeen97 Avatar asked Jan 25 '18 05:01

nisamudeen97


People also ask

How do I check my Diffie-Hellman?

One way to see if a server or endpoint supports Diffie-Hellman is to use the nmap tool with the option for the ssl-enum-ciphers script, as shown in the example below, to list all supported cipher suites. All cipher suites that list DH, DHE, or ECDHE use Diffie-Hellman.

How do I enable https in nginx?

Setting up an HTTPS Server. To set up an HTTPS server, in your nginx. conf file include the ssl parameter to the listen directive in the server block, then specify the locations of the server certificate and private key files: server { listen 443 ssl; server_name www.example.com; ssl_certificate www.


1 Answers

Finally I found the solution. By default Linux uses inbuilt DH provided by openssl. This uses weak key. The solution is to generate our own. Use the below to generate new one. I used 2048, you can also try 4096.

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

Then add it to nginx main conf and reload. Here we go. We now have A grade.

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

enter image description here

Reference urls:-

https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score

https://geekflare.com/nginx-webserver-security-hardening-guide/

like image 98
nisamudeen97 Avatar answered Oct 18 '22 03:10

nisamudeen97