Hi! > Op 13 mrt. 2022 om 15:54 heeft Walter Hop <apa...@spam.lifeforms.nl> het > volgende geschreven: > > Hi all, > > I am trying to strengthen my HTTPS setup. > > One security-checker which is popular in my country is internet.nl.
And rightly so! > One thing I have a problem with is their check “Key exchange parameters”. > > On my old setup, this was DH 2048, which is considered “insufficient” > according to internet.nl. I have tried the following things: > > 1) use a 4096 bit RSA key and get a new certificate > 2) generate DH params with: openssl dhparam -out /etc/apache2/dhparam.pem 4096 > 3) in my configuration, added: SSLOpenSSLConfCmd DHParameters > "/etc/apache2/dhparam.pem” > > The result of these steps is, that my server now seems to use DH 3072 bit, > which is better, but not yet 4096 bit. It’s still considered “insufficient” > by the checker. You can see the check results here: > https://internet.nl/site/lifeforms.nl/1527698/#control-panel-14 > > I’m confused where the DH 3072 comes from. My question is, what should I > configure so that DH 4096 is sent? Is your DH file actually 4096 bits? ;) Does Apache have a setting similar to tune.ssl.default-dh-param in HAProxy, maybe? > > I am running Apache 2.4.52 (from Ondrej Sury) with OpenSSL 1.1.1 from Ubuntu > 18.04 LTS. > > Any info would be super useful, thanks in advance! > > Kind regards, > WH > > > > >
