Does the LE client also care for the Diffie Hellman keys?

rugk · November 2, 2015, 9:08pm

Simple question, but I think it’s a good one to ask: Does the LE client also create DH keys when it automatically configures a server?
At least here it did not do so.

As we know it is bad to use DH keys < 2048bit, so if the keys are smaller the LE client should possibly fix it - especially as it would be bad if LE users (webadmins) use the automatic mode of the client and think everything is done, when someone tells them they are attackable (Logjam) and need to (manually) generate some keys.
This would probably impair the “one command and everything is fine” approach by LE.

Possibly related: [SOLVED] Unverified SSL (Nginx)

rugk · November 2, 2015, 9:59pm

Found a GitHub issue tracking this:

Still a human-friendly explanation here would be nice.

tlussnig · November 2, 2015, 11:15pm

Hi Simple howto is under https://weakdh.org/sysadmin.html

rugk · November 3, 2015, 9:09pm

My question is not how to generate a DH key - my question is whether (and how) this can be automatised in the LE client.