Weak Diffie-Helman cipher

[stormbkk87]

While testing my site SSL cert deployed using Mupx, the ssllabs.com tester shows 1 issue. Not sure if this is a cipher suite issue or nginx.conf parameter. Any ideas?

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

Cheers

[MasterJames]

I think is suffers from something called Logjam. I imagine when the key is generated and/or deployed you can remove the Diffie-Hellman from the allowable Cyphers. I think long ago the weak ones were allowed for "export" and are called "export cipher suites".

I think SSLCipherSuite is the target but which ones? Ones with DH in them maybe?

Well that's all I could de-cipher on the subject for you today. I hope that's helpful info.

[MasterJames]

Maybe this link is useful. For nginx it's "ssl_cipher" not Apache's SSLCipherSuite https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Shows these settings ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

[edmundkwok]

I submitted a pull request meteorhacks/mup-frontend-server#11 that implements a strong DH key and it just landed!

Docker Hub has build the image, so the next time you restart / deploy, you should get the latest image with this implemented. SSL Labs should be quite happy with the results. Please do test :)

[MasterJames]

That's awesome news!