Key exchange 'ffdhe3072' or even 'ffdhe4096' instead of own created DH 2048 , 3072 while is not safe enough anymore, and cipher order preference

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,553
Location
Netherlands Germany
Read here about user and discussion.


DH-3072 != ffdhe3072 so that is my mistake and many more i guess here :cry:

You can download files with predefined groups ffdhe3072 or ffdhe4096 ? don't know howto in Directadmin?



GUIDELINES:

Further better having for mail then if possible ECDHE while less reources..
The larger key sizes required for the use of DHE come with a performance penalty. Carefully evaluate and use ECDHE instead of DHE if you can.

Elliptic curve for ECDHE
  • Good: secp384r1, secp256r1, x448, and x25519
  • Phase out: secp224r1
  • Insufficient: Other curves

Finite field group for DHE

  • Sufficient:
  • ffdhe4096 (RFC 7919)
    • .pem [sha256 checksum: 64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3]
    • ffdhe3072 (RFC 7919)
    • .pem [sha265 checksum: c410cc9c4fd85d2c109f7ebe5930ca5304a52927c0ebcb1a11c5cf6b2386bbab]
  • Phase out:
  • ffdhe2048 (RFC 7919)
    • .pem [sha265 checksum: 9ba6429597aeed2d8617a7705b56e96d044f64b07971659382e426675105654b]
  • Insufficient: Other groups
Also for mail there is no Cipher order preference!?

At least one of your mailservers does not enforce its own cipher preference

 
Last edited:
It should be done through the config files.

I tried just reordering the curves in the past but failed:

 
It should be done through the config files.

I tried just reordering the curves in the past but failed:


Yes some are better now with TLS and Ciphers and such stuff now but still hard to do all things / settings right. And even harder to find out where what to change ( CUSTOM or not? ) 1024 - 2048 3072 409 for all kind of certs ( "FTP/..", MAIL, SSH, WEB, . and more) where and the curves also.

Then the newer OS with newer openssl .. as Centos 8 with some systemwide crypto policies

https://forum.directadmin.com/threads/disable-tls-1-1-as-default.59202/ solved not all of those to be / get a compliant system with the guidelines for 2019/2020 not only PCI / NIST / HIPAA , but also a lot of Country / EU guidelines / rules for those security parts as


More of such links here https://forum.directadmin.com/threads/disable-tls-1-1-as-default.59202/#post-303186



I mean make one base to start from for those howto/wiki's about all this stuff , and also a easy as possible GUI /CONFIG system in DA default possible for admin to have those conf files in edit files GUI DA even if custom. ( i know howto ad them there but ... )

Together with expanding / adding some edit files for Admins in DA GUI, it should be nice if there you can see on that page a easy overview if there are custom conf files to?
 
Last edited:
Hello,

Did you get it fixed? Or you still have issues? We've managed to get good results with Nginx, though did not try other web-servers yet.
 
We usually use Nginx in front of Apache, and don't use stand-alone Apache. So I don't have any instruction for the Apache. Did you try Nginx? Or want to try Nginx?
 
Wil try on centos8 test.. in about some days , no time now sorry. , but post here result ofcourse.

NO not wanting Nginx , have to learn more then i can handle for now with all other things that must run and updated on servers . ;)
 
Back
Top