Key exchange 'ffdhe3072' or even 'ffdhe4096' instead of own created DH 2048 , 3072 while is not safe enough anymore, and cipher order preference

ikkeben

Verified User
Joined
May 22, 2014
Messages
714
Location
Netherlands Germany
Read here about user and discussion.


DH-3072 != ffdhe3072 so that is my mistake and many more i guess here :cry:

You can download files with predefined groups ffdhe3072 or ffdhe4096 ? don't know howto in Directadmin?



GUIDELINES:

Further better having for mail then if possible ECDHE while less reources..
The larger key sizes required for the use of DHE come with a performance penalty. Carefully evaluate and use ECDHE instead of DHE if you can.
Elliptic curve for ECDHE
  • Good: secp384r1, secp256r1, x448, and x25519
  • Phase out: secp224r1
  • Insufficient: Other curves

Finite field group for DHE

  • Sufficient:
  • ffdhe4096 (RFC 7919)
    • .pem [sha256 checksum: 64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3]
    • ffdhe3072 (RFC 7919)
    • .pem [sha265 checksum: c410cc9c4fd85d2c109f7ebe5930ca5304a52927c0ebcb1a11c5cf6b2386bbab]
  • Phase out:
  • ffdhe2048 (RFC 7919)
    • .pem [sha265 checksum: 9ba6429597aeed2d8617a7705b56e96d044f64b07971659382e426675105654b]
  • Insufficient: Other groups
Also for mail there is no Cipher order preference!?

At least one of your mailservers does not enforce its own cipher preference
 
Last edited:

wattie

Verified User
Joined
May 31, 2008
Messages
1,084
Location
Bulgaria
It should be done through the config files.

I tried just reordering the curves in the past but failed:

 

ikkeben

Verified User
Joined
May 22, 2014
Messages
714
Location
Netherlands Germany
It should be done through the config files.

I tried just reordering the curves in the past but failed:

Yes some are better now with TLS and Ciphers and such stuff now but still hard to do all things / settings right. And even harder to find out where what to change ( CUSTOM or not? ) 1024 - 2048 3072 409 for all kind of certs ( "FTP/..", MAIL, SSH, WEB, . and more) where and the curves also.

Then the newer OS with newer openssl .. as Centos 8 with some systemwide crypto policies

https://forum.directadmin.com/threads/disable-tls-1-1-as-default.59202/ solved not all of those to be / get a compliant system with the guidelines for 2019/2020 not only PCI / NIST / HIPAA , but also a lot of Country / EU guidelines / rules for those security parts as


More of such links here https://forum.directadmin.com/threads/disable-tls-1-1-as-default.59202/#post-303186



I mean make one base to start from for those howto/wiki's about all this stuff , and also a easy as possible GUI /CONFIG system in DA default possible for admin to have those conf files in edit files GUI DA even if custom. ( i know howto ad them there but ... )

Together with expanding / adding some edit files for Admins in DA GUI, it should be nice if there you can see on that page a easy overview if there are custom conf files to?
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Hello,

Did you get it fixed? Or you still have issues? We've managed to get good results with Nginx, though did not try other web-servers yet.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
We usually use Nginx in front of Apache, and don't use stand-alone Apache. So I don't have any instruction for the Apache. Did you try Nginx? Or want to try Nginx?
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
714
Location
Netherlands Germany
Wil try on centos8 test.. in about some days , no time now sorry. , but post here result ofcourse.

NO not wanting Nginx , have to learn more then i can handle for now with all other things that must run and updated on servers . ;)
 
Top