Let's begin at the beginning:
Why do you need to use DH at all?
[it is a very difficult to implement protocol - there is no negotiation on DH size]
[and it is not really that secure]
7 Likes
I still get: SSLOpenSSLConfCmd: command not found
1 Like
What would you suggest? As a good secure solution? I want it to make my site secure, that's it, really.
1 Like
And where do I type this?
1 Like
Then don't use any DH ciphers.
Use TLS1.2 and higher.
Check the site with SSL Labs.
5 Likes
That goes into the Apache configuration file - within the HTTPS server block.
NOT something you type at the CLI.
7 Likes
It works! Is there a better option?
1 Like
4 Likes
I just realized i need ffdhe4096 (RFC 7919)
How to do so?
Thanks
1 Like
Why?
[you can't be serious!]
6 Likes
Due to this test:
1 Like
It is a test site made by the danish government*
1 Like
I reiterate:
Why do you need DH at all?
5 Likes
To pass the test 
1 Like
Why do you care about passing the test? That page reflects one person or organization's opinion of how a website should be. Why do you care about that organization's opinion?
7 Likes
I like to do it and get a better and safer site - and do it as a hobby and as a way to learn about it.
1 Like
...and why do you trust that test? Again, that test constitutes the opinion of that organization. If you use a different test, it will give you a different result. But surely you can Google how to change the DH group if you feel like you need to do that.
6 Likes
Then you have two choices:
- remove the DHE ciphers [and PASS the test]
- use 4096 DH, with:
openssl dhparam -out dhparams.pem20484096
ensure server cipher order preference leaves the DHE ciphers for last
[again: They are hard to implement; As there is no size negotiation]
7 Likes
Why would you do this? Just change 2048 to 4096 in the ffdhe...txt URL from Mozilla I've posted earlier.....
4 Likes
Because, despite w/e Mozilla might have said, you aren't supposed to reuse such things - bad practice!
6 Likes