ssllets-encryptdiffie-hellmanstarttlscertbot

certbot using weak diffie hellman encryption


I was reading here

https://weakdh.org/

If I verify security on

https://www.ssllabs.com/ssltest/analyze.html

of one of my sites using certbot I get rated B because of that

enter image description here

is there a solution?

certbot basically is the implementation of https://letsencrypt.org/ for many systems.


Solution

  • I just ran into the same problem. The core issue is described here: https://weakdh.org/

    As I understand it, most web servers start Diffie-Hellman with the same default set of prime numbers, and this was later found to be a security flaw. The fix is to generate new primes for your site's Diffie-Hellman key negotiation. This page has details: https://weakdh.org/sysadmin.html

    In short, run openssl dhparam -out dhparams.pem 2048, and then add the path to the resulting file in your nginx server config block:

    ssl_dhparam {path to dhparams.pem};
    

    For example, I put mine in /etc/letsencrypt, so I ran

    sudo openssl dhparam -out /etc/letsencrypt/dhparams.pem 2048
    

    and added

    ssl_dhparam /etc/letsencrypt/dhparams.pem;
    

    under the other Certbot config lines in my server block.

    After restarting nginx with sudo service nginx restart I got an A grade on ssllabs.com.

    I hope this helps.