I was testing one of my sites using both securityheaders and ssllabs and found that I was being marked down due to weak Diffie-Hellman key exchange, and due to supporting certain weak cryptographic algorithms
I was determined to get an A+ for both sites, and with a bit of trial and error this is how to configure nginx to use strong Diffie-Hillman Parameters, and force the server to only use certain algorithms.
If you are using a proxy as per our other tutorials you will need to treat this new .pem file as you do the web certificate. You need to create it on the Web server then move a copy to the proxy server and point to it as you would with your .cer and.key files. However the “ssl_ciphers” entry only needs to be on the web server. If this example our site is named ‘site1.com’
To create our new Diffie-Hellman parameters, on the webserver we run
sudo openssl dhparam -out dhsite1params.pem 2048
This will create our .pem file, which we then move to the same location as our .key and .cer files so they can be easily referenced.
The line we need to add is
"ssl_dhparam /etc/nginx/dh/dhsite1params.pem;"
To ensure we are only using strong encryption ciphers we also need to add a few more lines to our site file.
"ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;"
We add them to our site file by opening them with
sudo nano /etc/nginx/sites-available/site1
Then add the previously shown lines to to our SSL configuration as shown below:
#SSL configuration server { access_log off; log_not_found off; error_log logs/yoursite.com-error_log warn; listen 443 ssl; server_name site1.com; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers On; ssl_ciphers'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH: AES256+EDH'; ssl_certificate /etc/nginx/cert/crt/yoursite.crt; ssl_certificate_key /etc/nginx/cert/key/yoursite.key; ssl_dhparam /etc/nginx/dh/dhsite1params.pem;
That’s it.
I ran the scan again and this time A+