Disable Diffie-Hellman (DH) key in Ubuntu 16 and Nginx

Asked 25/1, 2018 at 5:37 Answered 26/1, 2018 at 17:49

ssl nginx ssl-certificate ubuntu-16.04 diffie-hellman

For website hosted in Ubuntu 16 with Nginx, SSL tests always shows B grade. Below is the reason shown. See also the attached image. Current SSL cipher settings are below. I have noticed the same thing in around 8 to 10 servers I have with ubuntu 16 and Nginx.

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'AES256+EECDH:AES256+EDH::!EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
ssl_session_cache shared:SSL:10m;

Diffie-Hellman (DH) key exchange parameters. Grade capped to B

Caboose answered 25/1, 2018 at 5:37 Comment(0)

Finally I found the solution. By default Linux uses inbuilt DH provided by openssl. This uses weak key. The solution is to generate our own. Use the below to generate new one. I used 2048, you can also try 4096.

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

Then add it to nginx main conf and reload. Here we go. We now have A grade.

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

Reference urls:-

https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score

https://geekflare.com/nginx-webserver-security-hardening-guide/

Caboose answered 26/1, 2018 at 17:49 Comment(0)

-2

The Mozilla SSL Configuration Generator is the best way to properly configure your TLS setup.

Mongolism answered 25/1, 2018 at 5:50 Comment(1)

Do you think it is because of "ssl_ciphers" used? I dont think so, I have A grade with the same ciphers in Centos servers. – Caboose 26/1, 2018 at 14:9

Recommended topics

Hot tags