Hi,
I have a LAMP stack Digital Ocean Droplet with multiple virtual hosts.
I try to generate and use 2048-bit or stronger Diffie-Hellman groups.
I already added the key with this code:
openssl dhparam -out dhparams.pem 2048
Now I try to use the new 2048-bit groups by using this code:
cat /path/to/custom/dhparam >> /path/to/sslcertfile
I tried:
cat /etc/letsencrypt/live/www.mydomain.net/privkey.pem >> /etc/letsencrypt/live/www.mydomain/fullchain.pem
Without luck.
I also tried:
SSLOpenSSLConfCmd DHParameters "/path/to/dhparams.pem"
And got: SSLOpenSSLConfCmd: command not found
Any idea on how to fix this?
Thanks
Ben
2 Likes
Why not use (one of) the named finite field groups as recommended by Mozilla? See the intermediate configuration at Security/Server Side TLS - MozillaWiki and the corresponding RFC.
May I also suggest the Mozilla SSL configuration generator at https://ssl-config.mozilla.org/ ? This includes instructions for the inclusion of the ffdhe2048 parameters.
Or even better: just remove all classic DH ciphers from your cipher suit list.. Unless you absolutely require these due to client compatibility.
13 Likes
Hi Osiris,
I love the last suggestion since it seems to be much easier
This is my suit list:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
How do I know which to remove?
Thanks
2 Likes
I changed to the cipher suit from Firefox:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Which works great.
I still want to use 2048-bit Diffie Hellman Group and seek help to do so, thanks!
2 Likes
Osiris
July 4, 2022, 10:34am
5
I don't understand. Why would you still want to use classic DH groups without classic DH cipher suits? It's either both or neither.
Edit: Although I see you haven't actually removed the classic DH cipher suits, so I guess you don't want to exclude them totally.
The Mozilla SSL generator should provide enough info.
10 Likes
Please take a look at Key Exchange Parameters:
Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, TLS, HSTS,
DMARC, DKIM, SPF, STARTTLS and DANE.
1 Like
I tried to, its a mistake, thanks for letting me know. I don't know how to do so
2 Likes
Thanks.
What are the correct paths?
SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateKeyFile /path/to/private_key
/path/to/sslcertfile
These seems to be wrong:
/etc/letsencrypt/live/www.mydomain.net/privkey.pem
/etc/letsencrypt/live/www.mydomain/fullchain.pem
1 Like
Osiris
July 14, 2022, 5:52pm
9
privkey.pem
and fullchain.pem
can be used for SSLCertificateKeyFile
and SSLCertificateFile
respectively, but that would lack your DH params. Certbot does not offer those. However, you could e.g. save https://ssl-config.mozilla.org/ffdhe2048.txt to /etc/letsencrypt/ffdhe2048.txt
and use that file to concatenate to fullchain.pem
. I suggest to use a script to do that and use that script in the --deploy-hook
command of Certbot.
4 Likes
Sounds good.
Do you know a link to an example or such where such a script is used in --deploy-hook command?
Thanks again, I really appreciate it!
1 Like
rg305
July 14, 2022, 6:17pm
11
Try using:
SSLOpenSSLConfCmd DHParameters /path/to/dhparams.pem
[presuming you are using Apache
]
6 Likes
Osiris
July 14, 2022, 6:19pm
12
See OP:
Although reading that error I'm not sure it was actually used in an Apache configuration file or just plain on the command line?
I'm sure OP currently has enough info to combine that Apache configuration command with the ffdhe2048.txt
from Mozillas site.
4 Likes
rg305
July 14, 2022, 6:26pm
13
benjaone:
I also tried:
Silly me.
What version of OpenSSL are you using?
7 Likes
Thanks!
I just created the /etc/letsencrypt/ffdhe2048.txt
and pasted this in it:
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
The I tried this:
SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/www.a-c-d.net/privkey.pem
and got: SSLOpenSSLConfCmd: command not found
What am I missing?
And yes, I have a LAMP stack.
Thanks!
2 Likes
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Thanks!
2 Likes
benjaone:
/path/to/dhparams.pem
I am in doubt if /path/to/dhparams.pem
is
/etc/letsencrypt/live/www.a-c-d.net/privkey.pem
Thanks!
2 Likes
rg305
July 14, 2022, 6:35pm
18
That should be:
SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/ffdhe2048.txt
6 Likes
Yea, I am new to this and is in deep water. Yes I just typed it in the command line.
I could really need a good tutorial on this
1 Like