Skip to main content

how to use dhparam 4096

themarty
Cpanel's default support for secure parameters for Diffie-Hellman key exchange is not optimal, and even considered insufficient by some official organisations. See for example : Modify Apache Virtual Hosts with Include Files | cPanel & WHM Documentation I've added this to a configuration file: SSLOpenSSLConfCmd DHParameters /etc/apache2/conf/dhparams-4096.pem And also added a http header so I could check that the file was included (which I could see in the server response after I made the changed, rebuilt the config and restarted apache). However when I run testssl (

Comments

3 comments

Date Votes
  • cPRex Jurassic Moderator
    Hey there! It might be best to stick with openssl directly, instead of relying on custom tools to do the work for us. If you run this command from your server, using a domain that is live on your machine: openssl s_client -connect yourdomain.com:443 -cipher kEDH
    what does this section of your server look like? No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 5151 bytes and written 368 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported
    If your output is similar to that, your system is secure and the issue is with that testing tool.
    0
  • themarty
    [quote]what does this section of your server look like?
    No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4672 bytes and written 405 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
    [quote]If your output is similar to that, your system is secure and the issue is with that testing tool.
    'that' testing tools is widely regarded as one of the best ssl testing tools ;) But, built on top of openssl, the raw output of openssl will of course always be more acurate
    0
  • themarty
    The solution is to do this: Go to WHM > SSL/TLS Configuration Change to 'ECDSA, P-384 (secp384r1)' - SSL certificates from AutoSSL will get attempt to get reissued with the new key type automatically. (Instead of the 'ECDSA, P-384 (secp384r1)' you can also select another one)
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post