Nginx – Should I set diffie helman parameters for nginx ssl

nginxssl

I have set up nginx with ssl. Everything works perfectly, with online tools giving the domain a good score.

Now I am wondering about one particular nginx configuration option; ssl_dhparam. Should I generate and set these parameters? Does it have any influence on security or computational load of ssl?

Best Answer

Should I generate and set these parameters?

Yes.

Does it have any influence on [the] security...of ssl?

Yes, when enabling Perfect Forward Secrecy. An appropriate ciphersuite must also be configured.

If a future attacker compromises your TLS, with PFS past traffic they intercepted and retained still cannot be decrypted.

Generate a DHE prime no smaller than your SSL certificate RSA private key. Given a 2048 bit private key:

$ openssl dhparam -out dhparam.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
..+..+...............+

Does it have any influence on [the]...computational load of ssl?

Too little to worry about.

conventional wisdom that TLS is slow is outdated
the advantage of PFS outweighs the cost
TLS is well handled by modern CPUs; adding DH has a minor incremental cost compared to the total cost of TLS
this cost is only incurred during the TLS handshake; a well-tuned TLS does the handshake infrequently or otherwise reduces the cost with session resumption, false-start, OCSP stapling, and more

Google I/O 2014 had a good HTTPS Everwhere talk which covered these and related topics in a broad fashion.

Related Solutions

Nginx with multiple servers and ssl cert, always use the same ssl

You need to assign an individual IP address for each SSL cert you want to use.

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts

http://www.ruby-forum.com/topic/186664#815383

Nginx – Properly setting up a “default” nginx server for https

I managed to configure a shared dedicated hosting on a single IP with nginx. Default HTTP and HTTPS serving a 404 for unknown domains incoming.

1 - Create a default zone

As nginx is loading vhosts in ascii order, you should create a 00-default file/symbolic link into your /etc/nginx/sites-enabled.

2 - Fill the default zone

Fill your 00-default with default vhosts. Here is the zone i am using:

server {
    server_name _;
    listen       80  default_server;
    return       404;
}


server {
    listen 443 ssl;
    server_name _;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    return       404;
}

3 - Create self signed certif, test, and reload

You will need to create a self signed certificate into /etc/nginx/ssl/nginx.crt.

Create a default self signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Just a reminder:

Test the nginx configuration before reloading/restarting : nginx -t
Reload a enjoy: sudo service nginx reload

Hope it helps.

Best Answer

Related Solutions

Nginx with multiple servers and ssl cert, always use the same ssl

Nginx – Properly setting up a “default” nginx server for https

Related Topic