Want to subscribe to topics you're interested in?
Become a Member

Use dsa-like dhparams

Discussion in 'Feature Requests & Suggestions' started by Liam W, Jan 9, 2020.

  1. Liam W

    Liam W Member

    62
    17
    8
    Jun 26, 2014
    United Kingdom
    Ratings:
    +22
    Local Time:
    2:43 AM
    nginx
    10.3.x
    Generating dhparams can take a measurable amount of time... which is somewhat annoying to the impatient. If you use the `--dsaparam` flag, the generation time is significantly decreased, with little effect on security: https://security.stackexchange.com/a/95184
     
  2. rdan

    rdan Well-Known Member

    4,943
    1,180
    113
    May 25, 2014
    Ratings:
    +1,790
    Local Time:
    9:43 AM
    Mainline
    10.2
    Or much faster:
    Code:
    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
     
  3. eva2000

    eva2000 Administrator Staff Member

    44,508
    10,165
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,735
    Local Time:
    11:43 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yes generating dhparam file takes alot of time on slower systems. When I was trying to optimise the dhparam file generation, I did consider the --dsaparam flag. But security isn't as good. See comment in same link you posted at https://security.stackexchange.com/...ting-after-24-hours/95184#comment421230_95184

    and /docs/man1.1.1/man1/dhparam.html the bold highlighted part
    So what I did was only generating a strong dhparam file for the first Nginx vhost generated on Centmin Mod 123.09beta01 or higher versions. Subsequent Nginx vhosts generated will check if dhparam file is already generated, and reuse the same dhparam file from initial first Nginx vhost generated dhparam file - the specific routine that does this centminmod/centminmod. It's a compromise to balance speed versus security.

    example for domain1.com Nginx vhost generated dhparam.pem at /usr/local/nginx/conf/ssl/domain1.com/dhparam.pem
    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/domain1.com/dhparam.pem
    -rw-r--r--. 1 root root 424 Apr  4  2017 /usr/local/nginx/conf/ssl/domain1.com/dhparam.pem
    

    technically for speed, you can do what @rdan suggests. Just take an existing Centmin Mod Nginx generated dhparam.pem and place it in /usr/local/nginx/conf/ssl/dhparam.pem for Centmin Mod Nginx vhost routines to find.
    So right after initial Centmin Mod install, run this command
    Code (Text):
    openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048

    to pre-create the dhparam so that Nginx vhost creation routine can pick up dhparam.pem file.