Disable Diffie-Hellman

isa · August 12, 2017, 10:01pm

Hi

I have done a scan on my website using ssllabs and I get this message “This server supports weak Diffie-Hellman (DH) key exchange parameters.” How can I disbale this? Below are my CIPHER Suite config.

ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

lukastribus · August 17, 2017, 10:12pm

Do you want to disable DH or do you want to use secure DH params?

I suggest you use the suggestions from the Mozilla configuration generator:

https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.5.14&openssl=1.0.2&hsts=yes&profile=intermediate

Topic		Replies	Views
Layer4 health check failures while using option http-check Help!	16	1216	September 8, 2023
Warnings to redirect to /dev/null Help!	0	1150	June 14, 2018
Statistics Report Page Help!	0	324	April 4, 2019
Do not reply with 5xx and 4xx errcodes Help!	2	571	May 24, 2018
Automattically getting out of backup server Help!	2	315	January 19, 2021

Disable Diffie-Hellman

Related Topics