No need for Diffie-Hellman and ssl_dhparam for nginx
weleoka opened this issue · comments
The script copies in recommended TLS settings for nginx, as well as an existing DH group from certbot on github:
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
If a user of this script serves their site using the nginx config with line ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
for nginx, then that DH is a static group.
This DH is not required by any part of the process and, it is not clear if perhaps it even disables the ephemeral Diffie-Hellman exchange for incoming connections. This ssl_dhpparam
can be removed from the recommended nginx server script.
This has nothing to do with issue 75. Do not reference other issues to attract attention to your problem. This is not a personal help forum for you @234146326