SSL parameters can globally be set in nf or within specific virtual hosts.ĭisable support for SSLv2 and SSLv3 and enable support for TLS, explicitly allow/disallow specific ciphers in the given order : The selected ciphers are based on Mozilla's Moderate Cipher List. Openssl dhparam -out dhparams.pem 2048 Common Server Productsįor each sever product, we provide two configuration options: (1) safe cipher suites that you should use, and (2) how to specify the Diffie Hellman parameters you generated above. The simplest way of generating a new group is to use OpenSSL: We recommend that you generate a 2048-bit group. Mozilla Firefox, and Microsoft Internet Explorer have increased the minimum group size to 1024-bit. Modern browsers, including Google Chrome, You will first need to generate a new Diffie-Hellman group, regardless of the server software you use. If you have information on how to patch other software, please let us know. You can test your server using the tool below, or by using the Qualsys SSL Server Test. We describe how to define modern ciphers and to generate a Diffie-Hellman group for popular servers below.
Steps (1) and (2) can be accomplished simultaneously by configuring your server to only use modern, secure cipher suites. The discrete log algorithms we used to attack standard Diffie-Hellman groups do not gain as strong of an advantage from precomputation,Īnd individual servers do not need to generate unique elliptic curves. Elliptic-Curve Diffie-Hellman (ECDH) key exchange avoidsĪll known feasible cryptanalytic attacks, and modern web browsers now prefer ECDHE over the original, finite field, Diffie-Hellman.
This page explains how to properly deploy Diffie-Hellman on your server. Our study finds that the current real-world deployment of Diffie-Hellman is less secure than previously believed. Guide to Deploying Diffie-Hellman for TLS
0 kommentar(er)
