No need for Diffie-Hellman and ssl_dhparam for nginx

Question

No need for Diffie-Hellman and ssl_dhparam for nginx

weleoka opened this issue 4 years ago · comments

The script copies in recommended TLS settings for nginx, as well as an existing DH group from certbot on github:

  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"

If a user of this script serves their site using the nginx config with line ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; for nginx, then that DH is a static group.

This DH is not required by any part of the process and, it is not clear if perhaps it even disables the ephemeral Diffie-Hellman exchange for incoming connections. This ssl_dhpparam can be removed from the recommended nginx server script.

234146326 commented 4 years ago

#75

Kai Weeks · Answer 1 · Mon Jun 15 2020 21:04:19 GMT+0800 (China Standard Time)

#75

This has nothing to do with issue 75. Do not reference other issues to attract attention to your problem. This is not a personal help forum for you @234146326