Key exchange 'ffdhe3072' or even 'ffdhe4096' instead of own created DH 2048 , 3072 while is not safe enough anymore, and cipher order preference

I

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,553
Location
Netherlands Germany
Read here about user and discussion.

https://twitter.com/x/status/1204781330782924800

DH-3072 != ffdhe3072 so that is my mistake and many more i guess here :cry:

You can download files with predefined groups ffdhe3072 or ffdhe4096 ? don't know howto in Directadmin?

github.com

GitHub - internetstandards/dhe_groups: .pem files for pre-defined DHE groups as recommended by IETF RFC 7919

.pem files for pre-defined DHE groups as recommended by IETF RFC 7919 - internetstandards/dhe_groups
github.com github.com


GUIDELINES:
english.ncsc.nl

IT Security Guidelines for Transport Layer Security (TLS) v2.0

These guidelines are intended to aid during procurement, set-up and review of configurations of the Transport Layer Security protocol (TLS). TLS is the most popular protocol to secure connections on the Internet.
english.ncsc.nl english.ncsc.nl

Further better having for mail then if possible ECDHE while less reources..
The larger key sizes required for the use of DHE come with a performance penalty. Carefully evaluate and use ECDHE instead of DHE if you can.
Click to expand...

Elliptic curve for ECDHE
Click to expand...
  • Good: secp384r1, secp256r1, x448, and x25519
  • Phase out: secp224r1
  • Insufficient: Other curves

Finite field group for DHE

  • Sufficient:
  • ffdhe4096 (RFC 7919)
    • .pem [sha256 checksum: 64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3]
    • ffdhe3072 (RFC 7919)
    • .pem [sha265 checksum: c410cc9c4fd85d2c109f7ebe5930ca5304a52927c0ebcb1a11c5cf6b2386bbab]
  • Phase out:
  • ffdhe2048 (RFC 7919)
    • .pem [sha265 checksum: 9ba6429597aeed2d8617a7705b56e96d044f64b07971659382e426675105654b]
  • Insufficient: Other groups
Click to expand...
Also for mail there is no Cipher order preference!?

At least one of your mailservers does not enforce its own cipher preference
Click to expand...

github.com

GitHub - internetstandards/toolbox-wiki: Internet.nl toolbox - how-to's for modern mail security standards (DMARC, DKIM, SPF and DANE)

Internet.nl toolbox - how-to's for modern mail security standards (DMARC, DKIM, SPF and DANE) - internetstandards/toolbox-wiki
github.com github.com
 
Last edited:
It should be done through the config files.

I tried just reordering the curves in the past but failed:

SSLOpenSSLConfCmd Curves ... failed for DOMAIN:443

I tried reordering the TLS curves. I fetched the supported list of curves which SSLLabs gave me: secp256r1, secp521r1, brainpoolP512r1, brainpoolP384r1, secp384r1, brainpoolP256r1, secp256k1, sect571r1, sect571k1, sect409k1, sect409r1, sect283k1, sect283r1 (server preferred order) and then I...
forum.directadmin.com forum.directadmin.com
 
wattie said:
It should be done through the config files.

I tried just reordering the curves in the past but failed:

SSLOpenSSLConfCmd Curves ... failed for DOMAIN:443

I tried reordering the TLS curves. I fetched the supported list of curves which SSLLabs gave me: secp256r1, secp521r1, brainpoolP512r1, brainpoolP384r1, secp384r1, brainpoolP256r1, secp256k1, sect571r1, sect571k1, sect409k1, sect409r1, sect283k1, sect283r1 (server preferred order) and then I...
forum.directadmin.com forum.directadmin.com
Click to expand...

Yes some are better now with TLS and Ciphers and such stuff now but still hard to do all things / settings right. And even harder to find out where what to change ( CUSTOM or not? ) 1024 - 2048 3072 409 for all kind of certs ( "FTP/..", MAIL, SSH, WEB, . and more) where and the curves also.

Then the newer OS with newer openssl .. as Centos 8 with some systemwide crypto policies

https://forum.directadmin.com/threads/disable-tls-1-1-as-default.59202/ solved not all of those to be / get a compliant system with the guidelines for 2019/2020 not only PCI / NIST / HIPAA , but also a lot of Country / EU guidelines / rules for those security parts as

english.ncsc.nl

IT Security Guidelines for Transport Layer Security (TLS) v2.0

These guidelines are intended to aid during procurement, set-up and review of configurations of the Transport Layer Security protocol (TLS). TLS is the most popular protocol to secure connections on the Internet.
english.ncsc.nl english.ncsc.nl

More of such links here https://forum.directadmin.com/threads/disable-tls-1-1-as-default.59202/#post-303186


Exim port 465 TLSv1 and TLSv1.1 not allowed

We have setup a new CentOS 8 server and we have noticed that exim doesn't allow TLSv1 and TLSv1.1 connections on port 465. On an older server (CentOS 7) with the same exim version and exim.conf version exim does allow TLSv1 and TLSv1.1 on port 465. On port 993 TLSv1 and TLSv1.1 works CentOS 8...
forum.directadmin.com forum.directadmin.com

I mean make one base to start from for those howto/wiki's about all this stuff , and also a easy as possible GUI /CONFIG system in DA default possible for admin to have those conf files in edit files GUI DA even if custom. ( i know howto ad them there but ... )

Together with expanding / adding some edit files for Admins in DA GUI, it should be nice if there you can see on that page a easy overview if there are custom conf files to?
 
Last edited:
Hello,

Did you get it fixed? Or you still have issues? We've managed to get good results with Nginx, though did not try other web-servers yet.
 
We usually use Nginx in front of Apache, and don't use stand-alone Apache. So I don't have any instruction for the Apache. Did you try Nginx? Or want to try Nginx?
 
Wil try on centos8 test.. in about some days , no time now sorry. , but post here result ofcourse.

NO not wanting Nginx , have to learn more then i can handle for now with all other things that must run and updated on servers . ;)
 
You must log in or register to reply here.
Back
Top