search

eforce21 / letsencrypt-nginx-proxy

reverse proxy with automated vHost and SSL-cert generation
MIT License
41 stars 11 forks source link

Weak Diffie-Hellman key exchange parameters #8

Open mrplow opened 8 years ago

mrplow commented 8 years ago

ssllabs.com:

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

jwilder/nginx-proxy supports openssl generated DH key groups https://github.com/jwilder/nginx-proxy#diffie-hellman-groups

VIRTUAL_HOST=foo.bar.com should have a foo.bar.com.dhparam.pem

JrCs/docker-letsencrypt-nginx-proxy-companion's build generates one on the first start https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/master/app/entrypoint.sh

function check_dh_group {
if [[ ! -f /etc/nginx/certs/dhparam.pem ]]; then
"echo ""Creating Diffie-Hellman group (can take several minutes...)"""
openssl dhparam -out /etc/nginx/certs/.dhparam.pem.tmp 2048
mv /etc/nginx/certs/.dhparam.pem.tmp /etc/nginx/certs/dhparam.pem || exit 1
fi
}

Along with the above, editing ssl.tmpl to symlink dhparam.pem to foo.bar.com.dhparam.pem would also be needed. But I'm not skilled in the git enough to create a PR

mrplow commented 8 years ago

Hmmm I'm not getting this anymore, its working fine...

No change to anything, seems to have fixed itself over the last few days.

edit oh yeah I generated my own dh and moved it to the certs folder ha ha

sopitz commented 8 years ago

Thanks for letting us know! We will also look into it why it took so long. Actually there should be a string DH group in there, but I'll take a look wether we can use your code to enhance our image.

tkaefer commented 8 years ago

I've run into the same ssllabs.com thingy. So it would be nice to get DH param for this setup here. I would really appreciate this. Thanks

petebytes commented 7 years ago

I just encountered the same issue - "this server supports weak Diffie-Hellman" using SSL Labs. Running on Ubuntu 16.04 installed using easy engine --letsencrypt